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(54) Circuit and nfiethod for modulo multiplication and exponentiation arithmetic 



(57) In order to avoid large-scale arithmetic circuit 
and a complicated processing procedure in performing 
modular arithmetic such as a modular arithmetic expo- 
nentiation and modular multiplication in use for encrypt- 
ing plaintext or the like, the method and apparatus of the 
present invention for performing the modular arithmetic 
which executes a first common equation of a modular 
multiplication arithmetic f(A, B)=AxBmodN ("mod" 
denotes modular arithmetic) to calculate a remainder of 
a product of an integer A and an integer B divided by an 
integer N. using a second common equation of Mont- 
gomery's replacement arithmetic f '(A, B)=AxBxR*modN 
corresponding to the first common equation f(A, 
B)=AxBmodN (R' denotes a value to meet the equation 
RxR'modN=1 with respect to R which is an exponent of 
2 slightly larger than modulus N), the method and appa- 
ratus comprises first step or means for executing a first 
replacement arithmetic fi'(R®niodNxA^, B^) (S denotes 
one of 0, 1. and 2; T denotes one of 0 and 1; and U 
denotes one of 0 and 1), and second step or means for 
executing a second replacement arithmetic fg' {R^' 
®modNxA'^xfi'(RSmodNxA'r, B^). R^modNxA^-^^xB^"^)}. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to the encryption and decryption technique of information used in the field such as 
information communication networks, traffic systems, banking facilities, medical services, distribution industries and the 
like, and more particularly to a circuit and a system for modulo exponentiation arithmetic and an arithmetic method of 
performing modulo exponentiation arithmetic for realizing the encryption and decryption of the information. 

With the development of the information communication technique, to ensure the security on the information net- 
work (to prevent stealing and destruction of data) is being regarded as inportant. For this purpose, the encryption and 
decryption technique of information is being used not only in the information communication field but also in the fields 
such as traffic systems, banking facilities, medical service, distribution Industries and the like. Accordingly, the encryp- 
tion and decryption technique of this kind is required to be able to realize the high-degree security by a simple principle. 

In order to facilitate understanding of the technique of this kind, encryption and decryption of information is now 
described in brief. 

In the cryptography, the "asymmetric cryptograph algorithm" is excellent qualitatively. In the asymmetric crypto- 
graph algorithm, the encryption key and the decryption key are different from each other and one key cannot be calcu- 
lated easily from the other key. 

The representatives of the asymmetric cryptograph algorithm involve the RSA cryptograph, the Elgamal crypto- 
graph, the Rabin cryptograph and the Williams cryptograph using the modulo exponentiation arithmetic. In the applica- 
tion of the cryptograph algorithm, there is the "digital signature" system and there is a tendency to standardization 
thereof in the present. The representatives of the digital signatjre systems to be standardized involve the RSA signa- 
ture method, the Elgamal signature method, the Schnorr signature method and the DSA (Digital Signature Algorithm) 
method, all of which use the modulo exponentiation arithmetic of a long bit length. Accordingly, H is indispensable to 
develop an arithmetic unit capable of completing the modulo exponentiation arithmetic having a long bit length in a short 
time in order to realize the digital signature system. 

The RSA cryptograph, the Elgamal cryptograph, the Rabin cryptograph and the Williams cryptograph basically use 
the modulo exponentiation arithmetic form represented by the following equation (1). The equation (1) means that a 
remainder of X"^ divided by N is calculated. Further, in the equation (1), X represents a plaintext to be encrypted 
(decrypted), and Y and N represent keys for encryption (decryption). 

X^modN (1) 

The modulo exponentiation arithmetic can be used to perform the encryption and the decryption of information eas- 
ily and make it difficult to cryptanalize the keys by lengthening the bit length of operands of X, Y and N. 

However, when the bit length of the operand is made long, it takes a long time to perform the modulo exponentiation 
arithmetic. The point is how the modulo exponentiation arithmetic having a long bit length of the operand is completed 
in a short time. 

The actual encryption and decryption using the modulo exponentiation arithmetic and the usage thereof are now 
described by taking the RSA cryptograph as an example. 

(1) SUMMARY OF ENCRYPTION AND DECRYPTION OF THE RSA CRYPTOGRAPH 

For the encryption, the following equation is used: C=M ®modn (2) 

For the decryption, the following equation is used: M=C ^modn (3) 

where M represents a plaintext to be encrypted and C represents an encrypted plaintext, that is, a ciphertext. In the 
equation (2) e and n represent encryption keys and in the equation (3) d and n decryption keys. These keys are previ- 
ously given the following conditions: 

n=pxq (4) 

1 ==exdmod{LCM(p-1 ,q-1 )} (5) 

where "==" means that the left side and the right side of the equation are similar and LCM means the least common 
multiple. Further, p and q are relatively prime integers. In addition, tiie keys e and n are public keys and d, n and q are 
secret keys. 

The above equations (4) and (5) botii define conditions of numerical values of the modulo exponentiation arithmetic 
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in the encryption algorithm. The equation (4) defines that n is a product of large prime numbers p and q which are prime 
to each other. TTie prime numbers p and q are both odd numbers and accordingly the product n must be naturally an 
odd number. Further, the equation (5) shows that a remainder of a product cxd of c and d divided by the least common 
multiple of values obtained by subtracting 1 from p and q shown in the equation (4) is 1 . 
5 On the basis of the equations (4) and (5), the plaintext M is encrypted by means of the equation (2) and the 

encrypted plaintext M (ciphertext C) is decrypted by means of the equation (3). 

(2) EXAMPLE OF ENCRYPTION AND DECRYPTION 

10 Referring to Fig. 2, description is made to a processing method performed by a transmitting person A and a receiv- 
ing person B in the case where "the transmitting person A encrypts the plaintext M into the ciphertext C to transmit it 
and the receiving person B decrypts the ciphertext C into the plaintext M." (with the digital signature) as a definite exam- 
ple. 

75 THE PROCESS PERFORMED BY THE TRANSMITTING PERSON A: 

The plaintext MA prepared by the transmitting person A is encrypted by means of the transmitting person's own 
secret key dA to prepare a signature text CA (signature), 

so CA==MA**^modnA (6) 

The public key eB of the person B is used to prepare an encrypted signature text cA (encryption). 



cA==CA®^modnB (7) 



25 



The cA is transmitted to the person B. 

THE PROCESS PERFORMED BY THE RECEIVING PERSON B: 

30 The encrypted signature text cA received by the person B is decrypted by means of the receiving person's own 
secret key dB (decryption). 

cA modnB==(CA modnB) modnB (8) 

35 When CA®^=X, the equation (8) can be transformed to: 

(CA^^modnB)'*^modnB=(XmodnB)''^modnB (9) 

In the equation (9), when XmodnB=Y that is, when a remainder of X divided by nB is Y and a quotient thereof is k, the 
40 equation can be expressed by: 

X=kxnB+Y (10) 
Y=X-kxnB 

45 

Accordingly, when the equation (1 0) is substituted for the corresponding portion in the right side of the equation (9), the 
equation (9) is expressed by: 

(XmodnB) modnB =Y modnB (11) 
=(X-kxnB)'*^modnB 

When (X-kxnB)*^^ of the equation (1 1) is expanded by using constants ai (i=1 . 2. ... ), the (X-kxnB)dB can be expressed 
by: 



55 



(X-kxnB)"^^ =(X''^-a1xX'®'''xnB+a2xX'*^"^xnB^- -aixnB"^^) (12) 

When the equation (12) is substituted for the corresponding portion of the equation (11), 
(XmodnB)^^modnB 
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=Y^^modnB 
=(X-kxnB)^^modnB 

=(X^^-al xX*^^i xnB+a2xX^^2^nB2. .aixnB^^)modnB 

=X^^modnB-a1xX^^ixnBmodnB+a2xX^^2^nB2mc>dnB- 

5 -aixnB^^modnB The second and subsequent terms of this equation can be ail divided by nB and can be hence 

deleted. Accordingly, this equation is expressed by: 

=X^modnB (13) 

10 CA®^=X is assumed above and accordingly when X is returned to CA®^. the equation is obtained as follows: 

=(CA^^)'*^modnB (14) 

When the above process is summarized, the above equation Is as follows: 
75 cA^^modnB==(CA^^modnB)^^modnB 
=(CA®^)^^modnB 

Since the eB and dB satisfy the equation (5), the eB and dB are expressed by the following equation by using a 
certain integer h. 

eBxdB=h{pB-l)+1 

20 When the Fermafs small theorem that the equation: XP*''modp=1 is effected for the prime number p and any Integer X 
which is prime to p is used, the above equation Is expressed by: 

CA^^"^^modpB=CA modpB (15) 

=CAxCA^^P'"*^modpB 

sCAmodpB 

Since the above equation is satisfied even if CA is a multiple of pB. CA^^^^^-CA for all CA can be divided by pB. Simi- 
larly, CA^^^'^^-CA can be divided by qB. Since pB and qB are different prime numbers. CA^^'^^^-CA can be divided by 
30 nB=pBxqB. Accordingly, the following equation is effected. 

cA^^modnB==CA®^^^^modnB==CAmodnB (=CA) 
The public key eA of the transmitting person is used to prepare the plaintext MA (authentication of signature). 
CA^^modnA==(MA^)®^modnA 
==(MA®Y^modnA 

35 When calculation is made in the same manner as the above decryption process, the following equation is derived. 
=MA 

As described above, values of e, d and n are determined under condition of the equations (4) and (5) and the mod- 
ulo exponentiation arithmetic form represented by the equation (1) is used basically, so that plaintext can be encrypted 
and the enaypted plaintext can be decrypted. 
40 For example, when n= 15. e=3, p=5.q=3andd=11 (n=pxq=5x3=15. exdmod(p-1)x(q-l)=3xllmod4x2=33mod8=1) 

and plaintext M=13, encryption and decryption are made as follows, respectively: 
C=M^modn= 1 3^mod 1 5=2 1 97mod 1 5=7 

M=C^modn=7^"'mod15=1977326743nnod15=13 It is confirmed that the plaintext M=13 is decrypted. 

45 (3) fWlODULO EXPONENTIATION ARITHMETIC METHOD 

The modulo exponentiation arithmetic method used in encryption and decryption is now described. 
The modulo exponentiation arithmetic of A=M®modN is executed by using the Iterative square and multiplication 
method shown in the following flow 1 with the binary expansion of the integer e being e=e*^'^ e^e°. 

50 
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[FLOW 1] 



begin 

10 

for i=k- 1 down to 0 do 
begin 

A=A2modN (16) 
if ei=l then A=AxMmodN (17) 

end 

20 

end 



25 

The iterative square and multiplication method Is expressed by a flow chart of Fig. 3. 

First, an Initial value 1 is loaded into a register A. The value stored in the register A is multiplied by itself to calculate 
AxA and the product AxA is divided by N to obtain a remainder. The remainder is stored in a register a. Then, the value 
stored in the register a is loaded into the register A, At this time, if the exponent e is equal to 1 , the value stored in the 

30 register A is multiplied by the plaintext M and the product thereof is divided by N to obtain a remainder, which is stored 
in the register a. Then, the contents of the register a is stored into the register A again. If the exponent e is equal to 0. 
the above calculation is not performed and the value stored in the register A remains as it is without any operation. The 
above calculation is repeatedly performed from the most signrf icant bit to the least significant bit of e, so that the value 
stored finally into the register A is a solution of the modulo exponentiation arithmetic to be calculated. 

35 As desaibed above, the foundation of the arithmetic is the multiplication and division (modular arithmetic) as shown 
by the equations (16) and (17). The multiplication performs AxA or AxM for the value of A having 1 as its initial value 
and the division performs modN for the value obtained by each multiplication. A pair of arithmetic operations of the mul- 
tiplication and the division (AxAmodN or AxMmodN) are repeated in accordance with bit values of "e**. That is, the mul- 
tiplication and the division are performed in accordance with the contents of bits from the most significant bit to the least 

40 significant bit of "e". 

The foregoing has described the modulo exponentiation arithmetic which can obtain a solution by repeating the 
basic remainder arithmetic or modular arithmetic, while the number of times of the repetition is several hundreds to 
thousands at most and accordingly the repetitive operation can be treated even by the software process. However, the 
modular arithmetic itself requires a large-scale arithmetic circuit and a complicated processing procedure in order to 
45 perform the division and accordingly it is desired to improve the modular arithmetic. 

SUMMARY OF THE INVENTION 

Therefore, the object of the present invention is to provide the method and apparatus for performing modular arith- 

50 metic more simply and efficiently. 

According to an aspect of the present invention, the method and apparatus for a modular multiplication arithmetic 
which executes a first common equation of a modular multiplication arithmetic f(A, B)=AxBmodN ("mod" denotes mod- 
ular arithmetic) to calculate a remainder of a product of an integer A and an integer B divided by an integer N, using a 
second common equation of Montgomery's replacement arithmetic f'(A. B)=AxBxR*modN corresponding to the first 

55 common equation f(A. B)=AxBmodN (R' denotes a value to meet the equation RxR'modN=1 with respect to R which is 
an exponent of 2 slightly larger than modulus N), the method and apparatus conrprises first step or means for executing 
a first replacement arithmetic fi'{Ft^modNxA''^, B*^) (S denotes one of 0, 1, and 2; T denotes one of 0 and 1 ; and U 
denotes one of 0 and 1). and second step or means for executing a second replacement arithmetic ^2 {R^" 
SmodNxA'^xf^'(RSmodNxA'^, B^), R^modNxA^-^xB^"^)}. 
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Acx:ording to another aspect of the present invention, tlie method and apparatus for performing a modular exponen- 
tiation arithmetic which executes a general equation of a modular exponentiation arithmetic F(M, E)=M^modN ("mod" 
denotes modular arithmetic) to calculate a remainder of an integer M to the integer Eth power divided by an integer N. 
by executing a first common equation of a modular multiplication arithmetic f(A, B)=AxBmodN to calculate a remainder 

5 of a product of an integer A and an integer B divided by an integer N, using a second common equation of Mont- 
gomery's replacement arithmetic f'(A. B)=AxBxR'modN corresponding to the first common equation f (A. B)=AxBmodN 
(R* denotes a value to meet the equation RxR'modN=1 with respect to R which is an exponent of 2 slightly larger than 
modulus N) in the iterative square and multiplication method for calculating the modular exponentiation arithmetic, the 
method and apparatus comprises first step or means for executing a first replacement arithmetic fi'(f2'. h') (the initial 

70 fi'=fi'(RfTiodN, RmodN), second step or means for executing a second replacement arithmetic ^2{W* MxRmodN). and 
third step or means for executing a third replacement arithmetic f3'(f2*. 1). wherein the third step of executing is laid after 
the first step of executing and the second step of executing are repeated at respective times specified by the integer E, 
According to still another aspect of the present invention, the encrypting apparatus which prepares a cryptograph 
by encrypting a plaintext M with encryption keys E and N, wherein a common equation of Montgomery's replacement 

75 arithmetic f'(A, B)=AxBxR'modN corresponding to a common equation f(A. B)=AxBmodN in the iterative square and 
multiplication method for executing the modular exponentiation arithmetic is employed, the encrypting apparatus com- 
prises, for given XxRmodN and YxRmodN, first executing means for executing a first replacement arithmetic 
fr(XxRmodN, XxRmodN)=x2RmodN. second executing means for executing a second replacement arithmetic 
f2'(XxRmodN. YxRmodN)=XxYxRmodN, and third executing means for executing a third replacement arithmetic 

20 f3'{XxRmodN, 1)=XmodN. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a flow chart in the present invention; 
25 Fig. 2 is a diagram for explaining a definite example of processing of ciphertext: 

Rg. 3 is a flow chart showing a modulo exponentiation arithmetic: 

Rg. 4 is a block diagram schematically illustrating a hardware of the present invention; 

Rg. 5 is a block diagram schematically illustrating a first embodiment of the present invention; 

Rg. 6 is a diagram for explaining unit of multiplication and addition; 
30 Rg. 7 shows a hardware image for explaining operation of the first embodiment of the present invention; 

Rg. 8 is a block diagram schematically illustrating a second embodiment of the present invention; 

Rg. 9 is a block diagram schematically illustrating a third embodiment of the present invention; 

Rg. 10 is a block diagram schematically illustrating a fourth embodiment of the present invention; 

Fig. 1 1 shows a hardware image for explaining operation of the fourth embodiment of the present invention; 
35 Rg. 1 2 shows an arithmetic example for explaining operation of the fourth embodiment of the present invention; 

Rg. 13 is a block diagram schematically illustrating a fifth embodiment of the present invention; 

Rg. 14 shows a hardware image for explaining operation of the fifth embodiment of the present invention; 

Rg. 1 5 shows a hardware image for explaining operation of the fifth embodiment of the present invention; 

Rg. 1 6 shows an arithmetic example for explaining operation of the fifth embodiment of the present invention: 
40 Rg. 1 7 is a block diagram schematically illustrating a sixth emlxxliment of the present invention; 

Rg. 18 is a block diagram schematically illustrating a seventh embodiment of the present invention; 

Rg. 19 is a block diagram schematically illustrating an eighth emkxxJiment of the present invention; 

Rg. 20 is a block diagram schematically illustrating a ninth embodiment of the present invention; 

Rg. 21 is a flowchart showing the calculation of N'; and 
45 Rg. 22 is an example of calculating N' and R'. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In the modulo exponentiation arithmetic, the procedure of performing the basic modular arithmetic is very compli- 
50 cated and accordingly the arithmetic circuit is made large as described above. Thus, Montgomery has proposed a 
scheme for obtaining a solution of a modular arithmetic by performing "multiplication" and simple bit string process with- 
out performing the modular arithmetic in the general manner as described above. The present invention basically uti- 
lizes the Montgomery's proposed scheme to perform the arithmetic operation and accordingly the Montgomery's 
proposed scheme is now described in brief, while measures for shortening an operation time in each arithmetic opera- 
55 tion are characteristic of the present invention. 

In the modular arithmetic. R is defined as an exponent of 2 which is slightly larger than modulus N and an inverse 
value of R in the "multiplication modN" [means that a remainder of (a value x a value)/(value N) is calculated] is defined 
as R' (RxR'modN=1 is effected). Further, N' for satisfying the relation of RxR'-NxN'=1 and 0<N'<R is defined (N* is an 
inverse value of N in the "Montgomery's arithmetic scheme"). At this time, for example, when the modular arithmetic in 
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the form of M(X)=XmodN is performed, the form is substituted by the following form: 

M'(X)=XxR'modN (18) 

Thus, when a calculation method of a function REDCPO shown in the following flow 2 is performed, the solution of the 
modular arithmetic can be obtained without dependence on the general method (multiplication and division are merely 
performed) as described above. However, the flow 2 is a flow for calculating a solution of the modular arithmetic and is 
not a flow for calculating a solution of the modulo exponentiation arithmetic. The solution of the equation (18) is t or t-N 
obtained by the above function. 

[FLOW 2] 

FUNCTION REDC(X): 

function REDC(X) 
m=(XinodR)xN'modR 
t=(X+mxN)/R 
if t<N 

return t (t: result) 
else return t-N (t-N: result) 

The above function includes the multiplication using arithmetic elements N and N' and the division using arithmetic 
element R. Since R=2" is defined, the division using R has a quotient which is a value exceeding 2" of a dividend and 
a remainder which is a value smaller than 2". Accordingly, the modular arithmetic of the equation (19) merely examines 
a value smaller than 2" basically and the division of the equation (20) merely examines a value equal to or larger than 
2" basically That is, the solution of the modular arithmetic can be obtained only by the multiplication and the addition 
without substantial execution of the division (modular arithmetic). 

For reference, the relation of m, R and N are now described using the equations (19) and (20). 

In the equation (19), 

mxN=((XmodR)xN'modR)xN 

==XxNxN*modR 

==Xx(RxR'.l)nio(m 

==XxRxR'mo(iR-XmodR 

==-XmodR 
X+mxN 
==X+(-XmodIl) 
==OmodR 

This equation means that a remainder is equal to 0 when X+mxN is divided by R, that is, X+mxN can be divided by R 
without a rerhainder. 

7 
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Since X+mxN is a sum of "X" and "multiplication of N", 
(X+mxN)modN 
==XmodN+mxNmodN 
==:XmodN 

5 Accordingly, from the equation (20) txRmodN 
==XmodN 
When both sides are multiplied by R'. 
txRxR'modN 
==tmodN 
==XxR'modN 

If X of the above equation XxR'modN is a multiplier value after calculation of modN or modR (described later), 
X<NxN<RxN<RxR 
Since m is an executed result of modR, m<R. Accordingly. 
mxN<RxN 
15 Since X<RxN, 

X+mxN<RxN+RxN=2RxN 
Accordingly, the following equations are effected. 
t=(X+mxN)/R<2N 
t<2N 

20 If t is larger than N, N is subtracted from both sides of the above equation to obtain the following equation. 
t-N<N It is understood from this equation that t-N is a value subjected to modN. 
Further, calculation of t=(X+mxN)/R of the equation (20) and completion of calculation of t are now described sup- 
plementarily. 

X+mxN is necessarily a multiple of R and accordingly, for example, when R=2^®. values less than 576 bits of 
25 X+mxN are all 0. Thus, calculation of t of the equation (20) is classified into the following two manners. 

(i) When X is not a multiple of R: 

bit strings of X+mxN and R are expressed as an image as follows: 

R=1000...0000 

x= ????????...???? 

35 mxN- ????????...???? 

X+mxN=??????O0O. . .0000 



40 

In the calculation of the equation (20), since t is necessarily obtained as an integer value, X+mxN becomes a 
multiple of R. Accordingly. X+mxN is as the above bit string image. The underlined portion is a solution of t. The 
reason is that since X+mxN is a multiple of R, an addition result of X and mxN less than R should be necessarily 0 
and values indicated by ? are not all 0 originally, so that any carry to the figure exceeding R should be generated 
45 in the course of addition. Accordingly, the values of X and mxN less than R are neglected and the following calcu- 
lation is made to obtain the solution. 

ts5(value of X above R)+(value of mxN above R)+1 
(ii) When X is a multiple of R; 

bit strings of X and R are expressed as an image as follows: 
50 R=1OO0...000O 

X= ?????000...0000 

At this time, XmodR of the equation (19) is 0 and accordingly m=0. If m=0, calculation of the equation (20) is 
t=X/R. Since an integer value is necessarily obtained as t, the solution can be obtained by the following calculation. 

55 t=(va!ue of X above R) 

Judgment as to whether X is a multiple of R or not can be made on the basis of whether a value of X less than R 
is 0 or not. This means that calculation for all of the bit length of X is not required in the calculation of t, so that a calcu- 
lation amount arKJ a calculation time can be reduced. 

With respect to completion of calculation of t. the calculation result of the function REDC(X) is a value in the range 
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of 0<t<2N and when N<t, calculation of t-N must be made again as shown in the flow 2. However, with respect to the 
calculation result t of the function REDC(X) performed on the way of the modulo exponentiation arithmetic, when it is 
within the range of t<R even if there is the relation of Net, the subsequent calculation may be made as it is. The reason 
is that N value left at this process is removed by the modular arithmetic performed later. 
5 When it is assumed that the calculation result on the way of the modulo exponentiation arithmetic is MmodN=S, the 

following relation is effected. 

M=k1xN+S=(k1-1)xN+N+S Accordingly, when it is considered that N+S is left in the modular arithmetic at this 
time, the following process is performed in the next modular arithmetic, for example. A^modN (refer to Fig. 3) of the 
modulo exponentiation arithmetic to thereby perform the modular arithmetic again. 
10 M1=AxA=(N+S)x(N+S) 

=n2+2xNxS+S^ Thus, 

Ml modN=(N2+2xNxS+S2)modN 

==S^modN The above equation means that N value left at the previous modular arithmetic is removed. Further, 
even when Ml is calculated in the modulo exponentiation arithmetic of AxMmodN, the similar result is obtained. Even 
15 in the Montgomery's method, it comes to the same thing. 

For simplification, description is made using an actual numerical value of a short bit length by way of example. 
When it is assumed that N=13(1 101), R=(10000) and t=15(1 11 1) which has been obtained in the last calculation 
of the function REDC{X), these values have the relation of N=<:t<R<2N. Bit 4 of t at this time is "0". while a pure solution 
of the modular arithmetic is not obtained as a value of t itself yet. However, since t does not exceed the bit length of N. 
20 it is appropriate as a substitution value in the next modulo exponentiation arithmetic of AxAxR'modN or AxMxR*modN. 
That is, since result values of the multiplication of AxA and AxM performed next do not exceed a prescribed bit length 
(in the above example of the numerical value, 4 bits x 2 = 8 bits), the calculation of "multiplication R'modN" having the 
prescribed bit length can be performed continuously. 

t can be expressed as t=15=13+2=N+2. This means that the value of t obtained by the last function REDC(X) is 
25 "the value having N which has been left" in the calculation of modN. When the value of t is substituted for A as it is, 
AxAxR'modN is calculated as follows. 
AxAx R'modN 
=(N+2)x(N+2)xR'modN 
=(N2+4N+4)xR'modN 
30 ==N^xR'modN+4NxR*modN+4xR*modN 
==4x R'modN 

This has the same result as the case where AxAxR'modN is calculated with a pure solution t=2 of the modN arithmetic 
instead of the value of t obtained by the last function REDC(X) and which is not t=N+2. 

35 (ACTUAL EXAMPLE) 

Calculation of M'(X)=XxR'modN for X=44123, R=2^ and N=199: 

From the relation of RxR'modN=1 and RxR'-NxN'=1 , R'=7 and N =9. Accordingly, M'(X)=44123x7mod199=13=0Dh 
should be effected. The function REDC(X) is used to obtain the above solution. 
40 From X=44123=AC5Bh. R=100h, N=199=C7h and N'=9h, (Function REDC(X)) 
m=(XmodR)xN'modR=5Bh x9h modR=333h modR 
=33h 

t=(X+mxN)/R=(AC5Bh +33h xC7h)/R 
=D400h /R=D4h 

45 A pure solution is t-N=D4h -C7h =ODh. while txtxR'modN is executed as it is (next equation 1). 

1 . for t=D4h : txt=D4h xD4h =AF90h 

m=(XmodR)xN'modR=90h x9h modR 
=51 Oh modR=10h 
50 t=(X+mxN)/R=(AF90h +1 0hxC7h )/R 

=BC00h /R=BCh 

2. for t=ODh : txt^ODh OxDh =00A90h 

m=(XmodR)xN'modR=A9h x9h modR 
=5F1hmodR=F1h 
55 t=(X+mxN)/R=:(00AF9h +F1 h xC7h )/R 

=BC00h /R=BCh 

The calculation results of the above equations 1 and 2 have the same values as indicated by underline. 

The above is important for reduction of the operation time. That is, when the most significant bit of N is bit{n-1), t- 
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N is performed for bit(n)=1 of obtained t and the subsequent arithmetic may be performed for bit(n)=0. 

Generally, for the modulo exponentiation arithmetic having an operand of 576 bits in length, R=2^^. At this time, 
when the calculation result of the equation (20) exceeds 576 bits (when an overflow of digit of 576 bits occurs). t>=R. 
Further, calculation of t-N in this case is performed by the following equation. 
5 t-N=(value of lower 576 bits of t) 

+ (inverted value of N)+1 

Since the value of N in the cryptograph algorithm is odd. the sum of the inverted value of N and 1 is obtained by calcu- 
lating the inverse of N and changing the least significant bit thereof to 1 . 

The function REDC for performing the Montgomery's arithmetic shown in the Row 2 merely obtains the solution of 
10 the Montgomery's arithmetic. That is, as shown in the equation (18), in order to facilitate the calculation, a peculiar 
numerical value of R' is used. In order to obtain the solution of the equation using the multiplication modN form which 
does not include R', it is necessary to return the solution of the Montgomery's arithmetic shown in the Flow 2 to numer- 
ical value which does not include R' by means of any operation. 

In the present invention, the following property is utilized to cancel the value of R* peculiar to the Montgomery's 
15 arithmetic. 

In M'(X)=XxR'modN. 
when X is (XxR). 

M'(XxR)=(XxR)R'modN=XmodN 
and when X is (XxRmodN), 
20 M'(XxRmodN)=(XxRmodN)R'modN=XmodN 

In other words, by applying the Montgomery's arithmetic to the form of ?xR or ?xRmodN, R' peculiar to the Mont- 
gomery's arithmetic is removed to be changed to the form of ?modN. 

Thus, when this property is applied to the modulo exponentiation arithmetic using the iterative square and multipli- 
cation method shown in the Flow 1, the solution of the modulo exponentiation arithmetic is obtained as shown in the 
25 Flow 3. Exactly speaking, by performing the Flow 2 in each of the modN arithmetic of equations (24). (25) and (26) 
shown in the Flow 3. solutions in the equations (24), (25) and (26) are obtained easily, so that the solution of the modulo 
exponentiation arithmetic using the Row 3 is obtained easily. 

[FLOW 3] 

begin 

A=lxRmodN=RmodN (23) 

35 

for i=k- 1 down to 0 do 
begin 

A=A2xR'modN (24) 
if ei=l then A=Ax(MxRmodN)xR'modN (25) 

end 

A=AxR»inodN (26) 

end 



Large differences between the Flow 1 and the Flow 3 reside in that in the equation (23) the initial value stored in 
the register A is not 1 and RmodN(1 xRmodN) is stored in consideration of the later Montgomery's arithmetic, the equa- 
tion (25) using tiie value of MxRmodN instead of M of the equation (17). the equation (26) being newly performed. By 
55 storing RmodN in tiie register A previously, R' of the equations (24), (25) and (26) is removed. The iterative square and 
multiplication method of the Flow 3 is expressed by the flow chart as shown in Fig. 1 . 

Prior to execution of the arithmetic. RmodN, MxRmodN and N' required previously in Rg. 1 must be obtained, [for 
RmodN] 

In the modulo exponentiation arithmetic used in the RSA cryptograph or the like, the most significant bit b"'^ and 
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the least signHicant bit b° of "N" are 0. Accordingly, R at this time is selected to be 2". Thus, RmodN=R-N. R-N can be 
easily calculated by obtaining the inverse of N and changing the least significant bit thereof to 1 . [for NT 
From the relation of RxR'modN=1 , RxR'-NxN'=1 , 0<R' and N'<R, the following relation an be derived. 
R'<N', N*-R<R-N 

[for MxRmodN] 

By previously obtaining R^modN, MxRmodN can be obtained by the following calculation using the Montgomery's 
arithmetic, 
10 Mx(R2modN)xR'modN 
ssMxR^xR'modN 
==MxRmodN 
For example, when R=2^^^ is assumed, 

2^^^modN=2x2^^2modN==2x(RmodN)modN=A 
15 When the following Flow 4 is executed using the above A as an initial value, the solution of R^modN can be obtained. 

[FLOW 4] 
:^ begin 

fori=lto9 

begin M(A,A)=AxAxR'modN 

25 

end 

end 

The calculation process in the Flow 4 is as follows: 

i=1: A=2^''3modN M{A,A)=2^^^><2^^^^2-^'^^mo6M==2^'^'^mo6N 
35 i=2: A-2^^4j^odN M{AA>2^^'^K^^^'^^2'^'^^rr\ociH==2^^^n\odil^ 

i=3: A=2^^^modN tsA{AA)=2^^^>^2^^^>^2-^^^mo6H^=2^^^mo6N 

i=4: A=2520j^^jjj|^ M(A.A)=2^20^520^2-5^2^QC,N==2^28^^N 

1=5: A=2^28modN M[AA)=2^^^><2^^^y^2'^^^rr\odir^==2^'^'^rno6N 

1=6: A=2^modN M(A,A)=2^'^x254'*x2-^''2modN==2^^^modN 
40 i=7: A=2®^^modN M(A,A)=2^®x25^®x2-^"'2modN==2^'^°modN 

i=8: A=2^'*°modN M(A,A)=2^'**^x2^'^°x2-^''2modN==2^^®modN 

i=9: A=2768modN M{AA)=2'^^^x2'^^^>i2-^^^rr\o6H==2^^^'^n\odiN 

The final result (i=9) is the solution of R^modN to be obtained. 

45 After the R^modN obtained in this calculation is multiplied by M, the Flow 2 is executed using the multiplied result 
as X in the Flow 2 to thereby obtain MxRmodN. 

As described above, the calculation in the Flow 2 includes the multiplication using N and N' and the division using 
R. Accordingly, the solution can be obtained only by the multiplication and the addition without substantial execution of 
the division (modular arithmetic). 

so As described above, values of RmodN, MxRmodN and N' required previously in the flow chart of Fig. 1 can be pre- 
pared. 

The flow chart of Fig. 1 is now executed. 

First, the previously obtained RmodN is stored in a register A (The register A may be a memory, for example. The 
same applies hereinafter.) as an initial value. The previously obtained MxRmodN is stored in a register B. The reason 
55 why MxRmodN is stored in the register B is that MxRmodN in the equation (25) used in the later process is ensured. 
Then, the equation (24) is executed. That is. the 

Montgomery's arithmetic A^xR'modN is executed. The equation (24) is obtained by executing the Flow 2 as 
described above. A value obtained by squaring the value stored in the register A is calculated as X in the equation (19) 
to obtain m. As described above, this calculation is performed by the modular arithmetic using the multiplication and R. 
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Since R=2" is defined, the modular arithmetic using R may merely examine a value smaller than or equal to 2" of the 
dividend. Then, the obtained m is used to execute the equation (20). A value obtained by squaring the value stored in 
the register A is calculated as X in the equation (20) to obtain t. As described above, this calculation is performed by 
multiplication and addition and division using R. Since R=2" is defined, the division using R may merely examine a 
5 value larger than or equal to 2" of the dividend. This calculation result is stored in the register A. 
Then, the value stored in register a is stored in the register A. 

judgment of bits of the exponent e is made. If bit is 1 , the equation (25) is executed. That is, the Montgomery's arith- 
metic AxBxR'modN Is executed. The equation (25) is obtained by executing the Flow 2 as desCTit>ed above. A product 
of the value stored in the register A and the value stored in the register B is calculated as X in the equation (1 9) to obtain 
10 m. The obtained m is used to execute the equation (20). A product of the value stored in the register A and the value 
stored in the register B is calculated as X in the equation (20) to obtain t. The calculation result is stored in the register 
a. The calculation result stored in the register a is stored in the register A. 

If bit of the exponent e is 0, the calculation of the equation (25) is not performed and the process proceeds to next 
step. 

15 Judgment as to whether the above arithmetic operation (execution of the equations (24) and (25)) is performed for 
all bits of the exponent e or not is made. If it is not performed, the process is returned to the step in which the equation 
(24) is performed, while if it is performed, the equation (26) is then performed. The equation (26) is obtained by execut- 
ing the Row 2 as described above. Calculation is made using the value stored in the register A as X in the equation (19) 
to obtain m. Then, the obtained m is used to execute the equation (20). Calculation is made using the value stored in 

20 the register A as X in the equation (20) to obtain t. 

Thus, the series of operations described above is completed. 

The solution of the modulo exponentiation arithmetic described above is summarized as follows. 

1 . Modulo exponentiation arithmetic (M®modN) 
25 2. Iterative square and multiplication method is used (iteration of AxAmodN and AxMmod^s^) 

3. Calculation of AxAmodN and AxMmodN is substituted by the Montgomery's method since the division is com- 
plicated (Montgomery's method: M*(X)=XxR*modN) 

4. M'(X)=XxR'modN can be realized using the function REDC(X). (The function REDC which can converts the 
arithmetic of modN to the form of modR to thereby avoid the complexity of the division.) 

30 

A hardware for actually realizing the present invention is now described with reference to the accompanying draw- 
ings. 

Rg. 4 is a block diagram schematically illustrating an actual hardware. 

In Fig. 4, numerals 401 , 403, 405, 407. 409, 41 1 , 41 3 and 415 denote memories or registers. Values described in 
35 respective boxes are stored in the registers 401 , 403. 405, 407, 409, 41 1 and 413. The register 405 corresponds to the 
register A described in Fig. 1 and the register 415 corresponds to the register a. A selector 41 7 serves to transfer any 
output of the register 407 or the register 405 to an arithmetic unit 419 in accordance with an indication from a one-bit 
left-shift register 409 in which the exponent e is stored. The selector 41 7 coresponds to a portion for executing the "shift 
and carry of e" in Fig. 1 . That is, when the exponent portion e is 1 , MxRmodN is transferred to the arithmetic unit and 
40 when the exponent portion e is 0. it is not transferred. At the initial stage of the flow chart shown in Fig. 1 , when A^ is 
obtained, an output of the register 405 is transferred to the arithmetic unit. 

The arithmetic unit 419 includes a multiplier unit and a divider unit. The arithmetic unit 419 executes multiplication 
and the function REDC(X). 

The hardware for realizing the present invention is now described in detail with reference to the drawings. 

45 

(First Embodiment) 
(Structure) 

50 The calculation method of the modulo exponentiation arithmetic M®modN performs the two kinds of arithmetic 
operations of A^xR'modN ... (24) and AxBxR'modN ... (25) (B corresponds to a portion in which "MxRmodN" of the 
equation (25) is positioned) in the Montgomery's arithmetic method described above repeatedly on the basis of a pre- 
scribed procedure in accordance with contents of bit values of the exponent "e" and finally perfornrre the following equa- 
tion (26) as described in Fig. 1 and the Flow 3. 

55 

AxIxR'modN (26) 

Accordingly, by providing an arithmetic unit (hereinafter referred to as a coprocessor) for performing the three kinds 
of modular arithmetics, the coprocessor can be used (the repetitive procedure of arithmetic may be realized by a control 
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method of any of software or hardware) to obtain the solution of the modulo exponentiation arithmetic. 

The present invention concerns the coprocessor having the three kinds of modular arithmetics or three arithmetic 
modes. 

Fig. 5 is a diagram schematically illustrating a modular arithmetic coprocessor according to a first embodiment of 
5 the present invention. 

In Fig. 5, thick arrowed lines connecting blocks represent buses for transferring data. 

The modular arithmetic coprocessor of the present invention comprises a timing/control circuit T/C for supplying 
operation timings of the whole coprocessor and control signals corresponding to a kind of the arithmetic operations of 
three kinds to various circuits in arithmetic unit, and a plurality of arithmetic value memories Smem, N'mem, Nmem, 

10 Mmem. A'mem, WImem and Whmem for storing arithmetic values in the Montgomer/s method. Further, the modular 
arithmetic coprocessor of the present invention comprises a high-speed multiplier/adder Mul/Add for performing multi- 
plication and addition, a high-speed adder Add for performing addition, a multiplier storage register Xi-reg for storing a 
multiplier value, a multiplicand storage register Yi-reg for storing a multiplicand, an augend storage register Ai-reg for 
storing an augend, and a register RH for storing an upper digit of a value produced by the high-speed adder Add. 

75 The high-speed adder Add. the multiplier storage register Xi-reg, the multiplicand storage register Yi-reg and the 
augend storage register Ai-reg have the function of temporarily storing a value read out from the arithmetic value mem- 
ories and corresponding to an input bit length of the high-speed multiplier/adder Mul/Add. 

The high-speed multiplier/adder Mul/Add is a multiplier/adder of a specific bit length which is supplied with an out- 
put value of the register Xi-reg and an output value of the register Yi-reg as input value in the multiplication operation 

20 and is supplied with an output value of the register Ai-reg as input value in the addition operation. An output of the high- 
speed multiplier/adder is Inputted to the high-speed adder Add of next stage as an addition input value. 

The high-speed adder Add is an adder of a specific bit length which performs addition of an output value of the 
high-speed multiplier/adder Mul/Add and an output value of the register RH. The upper digit of the output of the high- 
speed adder Add is supplied to the register RH or the arithmetic value memories and the lower digit thereof is supplied 

25 to the arithmetic value memories. 

(Operation) 

Operation of the circuit shown in Fig. 5 is now described. 

30 

[Realization Method of A^xR'modN ... (24)] 

A value of A is stored in both the arithmetic value memories A'mem and WImem, a value of N' in the Montgomery's 
method is stored in the arithmetic value memory N'mem and a value of N is stored in the arithmetic value memory 
35 Nmem. Since the values of N and N' are keys for encryption/decryption, the values are determined by the cryptograph 
system operator to the transmitting/receiving person of data. A value of R is determined from the value of N. The value 
of A is determined by executing RmodN as described above. 

A mode 1 signal is supplied to the timing/control circuit T/C to thereby execute the equation (24) of A^xR'modN as 
described below. 
40 Calculation of AxA is first performed. 

A value corresponding to the input bit length of the high-speed multiplier/adder Mul/Add is taken In the register Xi- 
reg from the arithmetic value memory A'mem. Similarly, a value corresponding to the input bit length of the high-speed 
multiplier/adder Mul/Add is taken in the register Yi-reg from the arithmetic value memory WImem. 

As shown in Fig. 6. for the multiplication operation, when the bit length (for example. 16 bits) of the operation value 
45 exceeds the multiplication input processing bit length (for example, 4 bits) of the high-speed multiplier/adder Mul/Add. 
a unit of multiplication and addition are repeated by the number of times (4x4=16 times) of operation corresponding to 
the bit length of the operation value. 

The above operation is expressed in detail by hardware image as shown in Fig. 7. 

This arithmetic operation means that values obtained by multiplying values stored in addresses A'3, A'2, A'1 and 
50 A'O of the arithmetic value memory A'mem by values stored in addresses WIS, WI2, WI1 and WIO are stored in 
addresses Wh3. Wh2. Whi , WhO, WIS. WI2. WI1 and WIO of the arithmetic value memories Whmem and WImem. 

(Unit of Multiplication and /Addition 1) 

55 The value (multiplicand) stored in the address WIO of the arithmetic memory WImem is taken in the register Yi-reg 
and the value (multiplier) stored in the address A'O of the arithmetic value memory A'mem is taken in the register Xi-reg. 
Then, the high-speed multiplier/adder Mul/Add multiplies the multiplier by the multiplicand and supplies a product 
thereof to the high-speed adder Add. In this multiplication and addition unit 1 . since the digit alignment operation is not 
required, the addend supplied to the high-speed multiplier/adder Mul/Add from the register Ai-reg is assumed to be 0. 
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(The value of the register Ai-reg is set to 0 or the value stored in the register Ai-reg is adapted not to be supplied to the 
high-speed multiplier/adder Mul/Add.) Further, a high level signal is supplied to a through terminal of the high-speed 
adder Add so that contents of the register RH are not added. In the multiplication of the value of the arithmetic value 
memory A'mem and the value of the arithmetic value memory WImem. since the lower digit of the operation result in 
5 the unit of multiplication and addition 1 is the least significant digit of the final operation result of this multiplication, the 
lower digit of the operation result in the unit of multiplication and addition 1 is stored in the least significant address WIO 
of the arithmetic value memory WImem as the final operation result of this multiplication. (In Fig. 7. the final operation 
result is stored in the underlined address.) The upper digit of the operation result of the unit of multiplication and addition 
1 is stored in the register RH in order to align the digit in the next unit of multiplication and addition. 

10 

(Unit of Multiplication and Addition 2) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address A'1 of the arithmetic value memory A'mem. Then, the high-speed multiplier/adder Mul/Add 

15 multiplies the multiplier by the multiplicand and supplies the product thereof to the high-speed adder Add. In this multi- 
plication and addition unit 2. the addend supplied to the high-speed multiplier/adder Mul/Add from the register Ai-reg is 
assumed to be 0. (The value of the register Ai-reg is set to 0 or the value stored In the register Ai-reg is adapted not to 
be stpplied to the high-speed multiplier/adder Mul/Add.) A low level signal is supplied to the through terminal of the 
high-speed adder M6 so that contents (the upper digit of the operation result of the multiplication and addition unit 1) 

:?o of the register RH are added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 2 is stored in the least significant address \A/hO of the arithmetic value 
memory Whmem. The upper digit of the operation result of the unit of multiplication and addition 2 is stored in tiie reg- 
ister RH in order to align the digit in the next unit of multiplication and addition. 

25 (Unit of Multiplication arri Addition 3) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in tiie address A'2 of the arithmetic value memory A'mem. Then, the high-speed multiplier/adder WiuVMd 
multiplies the multiplier by the multiplicand and supplies the product thereof to the high-speed adder Add. In tills multi- 

30 plication and addition unit 3. the addend supplied to the high-speed multiplier/adder Mul/Add from the register Ai-reg is 
assumed to be 0. (The value of the register Ai-reg is set to 0 or the value stored in tiie register /Vi-reg is adapted not to 
be supplied to tiie high-speed multiplier/adder Mul/Add.) A low level signal is supplied to the through terminal of tiie 
high-speed adder Mdi so that contents (the upper digit of tiie operation result of the multiplication and addition unit 1) 
of the register RH are added to the output of the high-speed multiplier/adder Mul//Vdd. The lower digit of the operation 

35 result in the unit of multiplication and addition 3 is stored in the address Wh1 of the arithmetic value memory Whmem. 
The upper digit of the operation result of the unit of multiplication and addition 3 is stored In the register RH in order to 
align the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 4) 

40 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in tiie address A'3 of the arithmetic value memory A'mem. Then, the high-speed multiplier/adder Mul/Add 
multiplies the multiplier by tiie multiplicand and supplies the product tiiereof to the high-speed adder Add. In this multi- 
plication and addition unit 4, the addend supplied to the high-speed multiplier/adder Mul/Add from the register Ai-reg is 

45 assumed to be 0. (The value of the register Ai-reg is set to 0 or the value stored In the register Ai-reg is adapted not to 
be supplied to the high-speed multiplier/adder Mul/Add.) A low level signal is supplied to the through terminal of the 
high-speed adder Ad6 so that contents (the upper digit of the operation result of the multiplication and addition unit 1) 
of the register RH are added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 4 is stored in the address Wh2 of the arithmetic value memory Whmem. 

so The upper digit of the operation result of the unit of multiplication and addition 4 is stored in the address Wh3 of the 
arithmetic value memory Whmem In order to align the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 5) 

55 The register Yi-reg takes in the value (multiplicand) stored in the address WI1 of the arithmetic value memory 
Wlmem. the register Xl-reg takes in the value (multiplier) stored in the address A'O of the arithmetic value memory 
A'mem, and the register Ad-reg takes in the value (addend) stored in tiie address WhO of the arithmetic value memory 
Whmem. Then, the high-speed multiplier/adder hAu\/Md multiplies the multiplier by the multiplicand and adds the 
addend to this multiplication result to supply the added result to tiie high-speed adder Add. In this unit of multiplication 
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and addition 5, a high level signal is supplied to the through terminal of the high-speed adder Add so that the contents 
(upper digit of the operation result of the unit of multiplication and addition 4) of the register RH are not added. The lower 
digit of the operation result of this multiplication and addition unit 5 is stored in the address WI1 of the arithmetic value 
memory WImem. The upper digit of the operation result of this multiplication and addition unit 5 is stored in the register 
5 RH in order to align the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 6) 

The register Yi-reg holds the already stored value (multiplicand), the register Xi-reg takes in the value (multiplier) 
10 stored in the address A'1 of the arithmetic value A'mem and the register Ai-reg takes in the value (addend) stored in the 
address Whi of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multiplies the 
multiplier by the multiplicand and adds the addend to this multiplication result to supply the added result to the high- 
speed adder Add. In this unit of multiplication and addition 6, a low level signal is supplied to the through terminal of the 
high-speed adder Add so that the contents (upper digit of the operation result of the unit of multiplication and addition 
15 5) of the register RH are added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result of this multiplication and addition unit 6 is stored in the address WhO of the arithmetic value memory Whmem. 
The upper digit of the operation result of this multiplication and addition unit 6 is stored in the register RH in order to 
align the digit in the next unit of multiplication and addition. 

20 (Unit of Multiplication and Addition 7) 

The register Yi-reg holds the already stored value (multiplicand), the register Xi-reg takes in the value (multiplier) 
stored in the address A'2 of the arithmetic value A*mem and the register Ai-reg takes in the value (addend) stored in the 
address Wh2 of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multiplies the 
25 multiplier by the multiplicand and adds the addend to this multiplication result to supply the added result to the high- 
speed adder Add. In this unit of multiplication and addition 7, a low level signal is supplied to the through terminal of the 
high-speed adder Add so that the contents (upper digit of the operation result of the unit of multiplication and addition 

6) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result of this multiplication and addition unit 7 is stored in the address Wh1 of the arithmetic value memory Whmem. 

30 The upper digit of the operation result of this multiplication and addition unit 7 is stored in the register RH in order to 
align the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 8) 

35 The register Yi-reg holds the already stored value (multiplicand), the register Xi-reg takes in the value (multiplier) 
stored in the address A*3 of the arithmetic value A'mem and the register Ai-reg takes in the value (addend) stored in the 
address Wh3 of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multiplies the 
multiplier by the multiplicand and adds the addend to this multiplication result to supply the added result to the high- 
speed adder M6. In this unit of multiplication and addition 8, a low level signal is supplied to the through terminal of the 

40 high-speed adder Add so that the contents (upper digit of the operation result of the unit of multiplication and addition 

7) Of the register RH are added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result of this multiplication and addition unit 8 is stored in the address Wh2 of the arithmetic value memory Whmem. 
The upper digit of the operation result of this multiplication and addition unit 8 is stored in the address Wh3 of the arith- 
metic value memory Whmem. 

<5 The units of multiplication and addition 9 to 16 are performed as shown in Fig. 7 in accordance with the unit of mul- 
tiplication and addition described above. Thus, AxA. that is, the value obtained by multiplying the value stored in the 
arithmetic value memory A'mem by the value stored in the arithmetic value memory WImem is stored in the form of 
Whmem-Wlmem ("-" is not a mark representing subtraction). 

For example, in the case of the calculated result 6572h of 64h x F5h in calculation of 8 bits x 8 bits, the upper digit 

50 65h thereof is stored in the arithmetic value memory Whmem and the lower digit 72h is stored in the arithmetic value 
memory WImem. 

Then, the function REDC is used to perform the modular arithmetic using the Montgomery's method. In the Mont- 
gomery's method, when the modulo exponentiation arithmetic having the operand length of n bits is performed, R=2" 
as described above. There are values of R' and N' having the bit length of n in this relation. Since the value of AxA is 
55 stored in the form of Whmem-WImem. calculation of m is as follows. 
m=(XmodR)xN'modR 

=(Whmem-Wlmem)modRxN'modR where since (XmodR) is a remainder of X divided by R. the value smaller 
than R is examined, so that the above equation is as follows. 
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m =(Wlmem)x(N'mem)modR 

The above equation indicates a remainder of (Wlmem)x(N'mem) divided by R and accordingly the lower n-bit value 
of the result obtained by performing (Wlmem)x(N'mem) is m. 
5 More particularly, the value stored in the arithmetic memory f^mem when the calculation of (Wlmem)x(N'mem) is 

performed in accordance with the calculation of AxA and the result thereof is stored into both of the arithmetic value 
memory A'mem and the arithmetic value memory Mmem in the form of A'mem-Mmem is m. 
Further, calculation of t is as follows. 
t=(X+mxN)/R 

10 =[(WhmenrvWlmem)+(Mmem)x(Nmem)]/R 

In order to obtain the solution of the above equation, calculation of (Mmem)x(Nmem) is performed in accordance 
with AxA and the result thereof is stored in both the arithmetic value memories A'mem and Mmem in the form of A'mem- 
Mmem. Subsequently, the following calculation is performed. 

75 Mmem '1 +Wlmem (27)(additionof lowerdigit) 

A'mem '1+Whmem+overf low of (27) (28)(additionofupperdigit) 

The equation (28) at this time is t to be obtained. 

20 Further, since the value smaller than or equal to R is necessarily 0 and the calculated result of the equation (27) is 
0, it is not necessary to store it in the memory. In the calculation of the equation (27), while there is considered the case 
where overflow of digit occurs, 1 is supplied to terminal (+1) of the high-speed multiplier/adder Mul/Add shown in Rg. 5 
at this time in the calculation of the equation (28). It is apparent that the calculations can be performed easily by means 
of the coprocessor of the present invention. 

25 The value obtained by the equation (28) is stored in both of the arithmetic value memories A'mem and Mmem. Fur- 
ther, when overflow of digit occurs. 1 is written in a carry flag CF. 

When the can-y flag is 1 . it is apparent that there is the relation of t>N and accordingly it is necessary to calculate 
t-N. This is obtained by performing the following calculation. 

30 [(Inverted Nmem+1)'1]+\/Vlmem (29) 

The inverted Nmem means the inverse of the value stored in Nmem. 

Since the value of N stored in the arithmetic value memory Nmem is odd in the cryptograph algorithm, the value of 
(the inverted Nmem+1) in the equation (29) is obtained by calculating a conplement of 1 for Nmem and changing the 
35 least significant bit to 1 . This operation is realized by supplying 1 to a terminal Inv of the register Xi-reg shown in Fig. 5 
(the complement of 1 for the value stored in the register Xi-reg is calculated). 

[Realization Method of AxBxR'modN ... (25)J 

40 The value of A is stored in the arithmetic value memory WImem. the value of B is stored in the arithmetic value 
memory Smem, the value of N' in the Montgomery's method is stored in the arithmetic value memory N mem and the 
value of N is stored in the arithmetic value memory Nmem. 

A mode 2 signal is supplied to the timing/control circuit T/C to thereby execute the equation (25) of AxBxR'modN 
as described below. 
45 Calculation of AxB is first performed. 

A value corresponding to the input bit length of the high-speed multiplier/adder Mul/Add is taken in the register Xi- 
reg from the arithmetic value memory Smem. Similarly, a value corresponding to the input bit length of the high-speed 
multiplier/adder Mul/Add is taken in the register Yi-reg from the arithmetic value memory WImem. 

The calculation of A<xB Is the same as the calculation of AxA described above except that the value supplied to the 
50 register Xi-reg is taken from the arithmetic value memory Smem. 

Then, the function REDC is used to perform the modular arithmetic using the Montgomery's method. 
The calculation method is the same as in the case of AxA and the calculation result is stored in both of the arith- 
metic value memories A'mem and Wlmem. 

When the modulo exponentiation arithmetic is performed, the equations (24) and (25) are calculated repeatedly 
55 However, by using the realization method of the calculation described above, the calculation results of the equations 
(24) and (25) are stored in both of the arithmetic value memories A'mem and Wlmem. Accordingly, since the initializa- 
tion of arithmetic values is not required at the beginning of calculation of each equation, the repetitive calculation can 
be performed smoothly. 
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[Realization Method of AxR'modN ... (26)] 

The value of A is stored in the arithmetic value memory WImem, the value of N' in the Montgomery's method is 
stored in the arithmetic value memory N'mem and the value of N isstored in the arithmetic value memory Nmem. 
5 A mode 3 signal is supplied to the timing/control circuit T/C to thereby execute the equation (26) of AxR'modN as 

described below. 

In the equation of this time, it is not necessary to execute multiplication of Ax?. Accordingly, only the modular arith- 
metic using the Montgomery's method is performed. 

The calculation method of m in the modular arithmetic is substantially the same as in the case of AxA. The value 
10 of the arithmetic value memory WImem when the calculation result is stored in both of the arithmetic value memories 
A'mem and WImem in the form of Amem-Wlmem is the value of m. 

Further, calculation of t is as follows. 

t=(X+mxN)/R (30) 

75 

=[value at)ove R of result of (WImem) x(Nmem)]+1 

In the calculation of the equation (26), the above X is A and there is no value above R (it is considered as 0). 
Accordingly, it is not necessary to perform addition of the value (Whmem) above R as described in the realization 

20 method of the equation (24). Further, since (X+mxN) is necessarily a multiple of R, it is not necessary to add the value 
of X indicated by the second term of the equation (30) and the solution is obtained by "[the value above R of the result 
of (Wlmem)x(Nmem)]+1 " instead. This is that the value of A in this calculation is not 0 when the modular arithmetic is 
used in the cryptograph algorithm. 

Accordingly, in the equation (30), calculation of (WImem) x(Nmem) is first performed and the calculation result 

25 thereof may be stored in the arithmetic value memories A'mem and WImem in the form of A'mem-Wlmem. The value 
in the memory A'mem obtained as the result thereof is the solution to be obtained. (All operations of the modulo expo- 
nentiation arithmetic are terminated by the execution of this arithmetic operation and accordingly storing to the arithme- 
tic value memory WImem may be omitted.) At the timing of storing the final calculation result at this time in the least 
significant digit of the arithmetic value memory A'mem, 1 is supplied to the terminal +1 shown in Fig. 5 to execute addi- 

30 tion of 1 in the equation (30). 

As described above, according to the first embodiment, the multiplier/adder (a multiplier and an adder may be pro- 
vided separately) having the prescribed bit length is provided as a core of the arithmetic unit and the control signals 
from the timing/control signal generating circuit are supplied to the circuit disposed at the periphery thereof to thereby 
be able to realize the modular arithmetic having a long bit length using the Montgomery's method or the modulo expo- 

35 nentiation arithmetic. Further, according to this system, since the core of the arithmetic unit can be configured by the 
arithmetic unit having a limited (prescribed) bit length, the circuit scale can be made small and it is suitable for LSI. 

(Second Emt)odiment) 

40 (Structure) 

Fig. 8 is a block diagram schematically illustrating a modular arithmetic coprocessor according to a second embod- 
iment of the present invention. 

The second embodiment includes, in addition to the configuration of the first embodiment (Fig. 5), a circuit for 
45 detecting that an arithmetic value is 0 and controlling the sequence for the next arithmetic operation. 

More particularly, this control circuit is represented by ZeroC in Fig. 8. The control circuit ZeroC is a circuit for 
detecting that an arithmetic value is 0 to control the sequence for the next arithmetic operation and includes an input 
terminal to which the output signal of the high-speed adder Add is supplied and an output terminal. The control circuit 
produces from the output terminal a signal for subjecting the timing/control signal generated by the timing/control circuit 
50 T/C and the signal for operating the various circuits in the coprocessor to a predetermined control. 

(Operation) 

In the calculation of the function REDC described in the realization method of the equations (24) and (25) of the 
55 first embodiment, the value of X obtained as the result of the previous multiplication can be classified into the following 
two cases. 

(a) When it is a multiple of R 

the value (WImem) obtained in the previous calculation is 0. 
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(b) When it is not a multiple of R 

the value {Wimem) obtained in the previous calculation is not 0. 

In the ennbodiment, the control circuit ZeroC delects whether the value less than R of the X value (value of AxA or 
5 AxB) is 0 or not and performs the sequence of the subsequent arithmetic operation in accordance with the detected 
result as follows. 

For the case of (a), it is apparent that since XmodR=0, m=0. Accordingly, at this time, it is not necessary to perform 
calculation of m. 

Calculation of t is as follows. 

10 

t=(X+m X N)/R=X/R= Whmem (3 1 ) 

This indicates that the upper digit of the calculated result of AxA and AxB is a value of t as it is. Accordingly, in the 
process by hardware in this case, the value stored in the arithmetic value memory Whmem is stored in tx)th of the arith- 
15 metic value memories A'mem and WImem as it is and preparation for the next repetitive arithmetic operation is made. 
That is, when the value less than R of the X value (value obtained by the previous calculation) is 0. it is not necessary 
to calculate t. This means that it is not necessary to calculate the whole bit length of X in calculation of t. 

For the case of (b), the calculation for obtaining m is performed in the same manner as the first embodiment and 
the calculated result is stored in both of the arithmetic value memories A'mem and Wlmem in the form of A'mem- 
20 Wlmem, The value stored in the arithmetic value memory Wlmem is made to be the value of m. Calculation of t is con- 
tinuously performed. 

Calculation of t is as follows. 

t=(X+mxN)/R (32) 

25 

=Whmem+{value above R of resuK of (Wlmem) x(Nmem)]+1 

The solution of the equation (32) is obtained by performing calculation of (Wlmem)x(Nmem) to store the calculated 
result in both of the arithmetic value memories A'mem and Wlmem in the form of A'mem-Wlmem and then performing 
30 calculation of the following equation. 

(A'mem) x 1 +(Whmem)+1 (33) 

The reason is that since the value of X+mxN is a multiple of R necessarily, it is not necessary to calculate the value less 
35 than R purposely. In the equation (33), at the calculation timing of the least significant digit, 1 is supplied to the terminal 
+1 shown in Fig. 5 to execute addition of 1 in the equation (33). 

The calculated result obtained in the equation (33) is stored in both of the arithmetic value memories A'mem and 
Wlmem and when overflow of digit occurs. 1 is written in the carry flag CF. The subsequent process is the same as that 
of the first embodiment. 

40 As described above, according to the second embodiment, addition of the control circuit (which can be configured 
by the circuit scale corresponding to the bit length of the multiplier/adder and is a small-scale circuit) for detecting that 
the arithmetic value is 0 and controlling the sequence of the sutjsequerrt arithmetic operation can attain deletion of the 
arithmetic value memory Mmem of the coprocessor described in the first embodiment and deletion of an amount of 
arithmetic operation. Accordingly, deletion of hardware and reduction of the operation time can be attained. 

45 

(Third Embodiment) 
(Structure) 

so Fig. 9 is a block diagram schematically illustrating a modular arithmetic coprocessor according to a third embodi- 
ment of the present invention. 

The third embodiment includes, in addition to the configuration of the first embodiment (Fig. 5) or the second 
embodiment (Fig. 8), a bit length selection control circuit for selecting the bit length of the operand to change the tim- 
ing/control signal. 

55 More particularly, the bit length selection control circuit is represented by LenCont of Fig. 9. The bit length selection 
control circuit LenCont is operated to control the operation timing signal generated by the timing/control circuit T/C and 
the control signal supplied to the various circuits in the coprocessor in accordance with an input signal Sel-len. 
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(Operation) 

In operation of the coprocessor, the value R, the value R* determined by the value of R, the bit length of the N' value 
and the repetitive procedure (the number of times) of the multiplication and addition of the prescribed bit length are 
5 changed in accordance with change of the bit length of the operand. 

For example, when the high-speed multiplier/adder Mul/Add is of 16-bit length and performs multiplication of AxA 
having the operand bit length of 512 bits, the number of times for repetition of multiplication and addition by the high- 
speed multiplier/adder Mul/Add is as follows. 
(512/16)x(5l2/16)=1024 times 
JO On the other hand, for the operand bit length of 768 bits, the number of times is as follows, 
(768/1 6)x(768/16)s=2304 times 
The sequences for these calculations are different. Further, as described above, since the value R is determined 
uniquely in accordance with the operand bit length, the bit lengths of the values R' and N' are changed correspondingly. 
The bit length selection control circuit LenCon controls the factor for the atxjve changes, that is. the circuit controls 
75 to produce the operation timing signal and the control signal generated by the timing/control circuit T/C in accordance 
with the selected bit length. 

Generally, the bit length selection control circuit LenCont can be realized by a relatively small-scale circuit configu- 
ration such as PLA or logic circuits. 

As described above, in the coprocessor of the third embodiment, the bit length selection control circuit LenCont is 
20 added to thereby be able to execute the modular arithmetic or the modulo exponentiation arithmetic having various 
operand bit lengths. 

(Fourth Embodiment) 

25 (Structure) 

The foundation of the arithmetic operation of the coprocessor described in the above embodiments is the multipli- 
cation and the addition of the prescribed bit length. The method of repeating the basic multiplication and addition to 
realize the modular arithmetic or the modulo exponentiation arithmetic is as described in the above embodiments. 
30 In the above embodiments, however, since the coprocessor performs only the modular arithmetic mode, application 
of thereof is limited to the modular arithmetic although the basis of the arithmetic operation is multiplication and addi- 
tion. 

Accordingly the multiplication and addition mode of a long bit length which is the foundation of various arithmetic 
operations is added to improve the generality of the coprocessor. 
35 Fig. 10 is a block diagram schematically illustrating the modular arithmetic coprocessor according to a fourth 
embodiment of the present invention. 

In the fourth embodiment, the multiplication and addition mode is added to the embodiments described above. In 
order to execute this mode, a mode signal 4 is supplied to the timing/control circuit T/G. 

40 (Operation) 

An execution example of the multiplication and addition shown below is now described. 

AxB+C (34) 

45 

First of all. in the equation (34), values A, B and C are stored in the arithmetic value memories WImem, Smem and 
Whmem. The mode signal 4 is supplied to the timing/control circuit T/C to set the kind of arithmetic operation to the 
mode of executing multiplication and addition. 

The above operation is expressed in detail by hardware image as shown in Fig. 1 1 . 
50 This arithmetic operation means that values obtained by adding values stored in addresses WhS, Wh2, Wh1 and 
Who to values obtained by multiplying values stored in addresses S3, S2. SI and SO of the arithmetic value memory 
Smem by values stored in addresses WIS, WI2, WI1 and WIO of the arithmetic value memory WImem are stored in 
addresses WhS, Wh2, Wh1 , WhO, WIS. WI2. WI1 and WIO of the arithmetic value memories Whmem and WImem. 

55 (Unit of Multiplication and Addition 1) 

First, the value (multiplicand) stored in address WIO of the arithmetic value memory WImem is supplied to the reg- 
ister Yi-reg, the value (multiplier) stored in address SO of the arithmetic value memory Smem is supplied to the register 
Xi-reg, and the value (addend) stored in address WhO of the arithmetic value memory Whmem is supplied to the regis- 
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ter Ai-reg. Then, the high-speed multiplier/adder Mul/Add multiplies the multiplier by the multiplicand and adds the mul- 
tiplied result to the addend to supply the added result to the high-speed adder Add. In this multiplication and addition 
unit 1 , a high level signal is supplied to the through terminal of the high-speed adder Add so that contents of the register 
RH is not added. 

5 Since the lower digit of the operation result in the unit of nnu|tiplication and addition is the least significant digit of 

the final operation result of this multiplication and addition, the lower digit of the operation result in the unit of multipli- 
cation and addition 1 is stored in the least significant address WIO of the arithmetic value memory Wlmem as the final 
operation result of this multiplication. (In Fig. 11. the final operation result is stored in the underlined address.) The 
upper digit of the operation result of the unit of multiplication and addition 1 is stored in the register RH for the next unit 

10 of multiplication and addition. 

(Unit of Multiplication and Addition 2) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
75 plier) stored in the address Si of the arithmetic value memory Smem and the register Ai-reg takes in the value (addend) 
stored in address Whi of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multi- 
plies the multiplier by the multiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 2. a low level signal is supplied to the through terminal of 
the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 
20 1) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 2 is stored in the least significant address WhO of the arithmetic value 
memory Whmem. The upper digit of the operation result of the unit of multiplication and addition 2 is stored in the reg- 
ister RH in order to align the digit in the next unit of multiplication and addition. 

25 (Unit of Multiplication and Addition 3) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address S2 of the arithmetic value memory Smem and the register Ai-reg takes in tiie value (addend) 
stored in address Wh2 of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multi- 
30 plies the multiplier by the muHiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 3. a low level signal is supplied to the through terminal of 
the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 

2) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 3 is stored in the least significant address Whi of the arrtiimetic value 

35 memory Whmem. The upper digit of the operation result of the unit of multiplication and addition 3 is stored in the reg- 
ister RH in order to align the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 4) 

40 The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address S3 of the aritinmetic value memory Smem and tiie register Ai-reg takes in the value (addend) 
stored in address Wh3 of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multi- 
plies the multiplier by the multiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 4, a low level signal is supplied to the through terminal of 

45 the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 

3) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 4 is stored in the least significant address Wh2 of tiie arithmetic value 
memory Whmem. The upper digit of the operation result of the unit of multiplication and addition 4 is stored in address 
Wh3 of the arithmetic value memory Whmem in order to align the digit in the next unit of multiplication and addition. 

so 

(Unit of Multiplication and Addition 5) 

The value (multiplicand) stored in address WI1 of the arithmetic value memory Wlmem is supplied to the register 
Yi-reg. the value (multiplier) stored in address SO of the arithmetic value memory Smem is supplied to the register Xi- 
55 reg. and the value (addend) stored in address WhO of tiie arrtiimetic value menrrary Whmem is supplied to the register 
Ai-reg. Then, the high-speed multiplier/adder Mul/Add multiplies tiie multiplier by the multiplicand and adds the multi- 
plied result to the addend to supply tiie added result to tiie high-speed adder Add. In this multiplication and addition unit 
5, a high level signal is supplied to tiie through terminal of tiie high-speed adder Add so that contents (upper digit of the 
operation result of the multiplication and addition unit 4) of the register RH is not added. The least significant digit of tiie 
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operation result of the multiplication and addition unit 5 is stored in address WI1 of the arithmetic value memory Wlmem. 
The most significant digit of the operation result of the multiplication and addition unit 5 is stored in the register RH in 
order to align the digit in the next unit of multiplication and addition. 

5 (Unit of Multiplication arxJ Addition 6) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address S1 of the arithmetic value memory Smem and the register Ai-reg takes in the value (addend) 
stored in address Whi of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multi- 
10 plies the multiplier by the multiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 6, a low level signal is supplied to the through terminal of 
the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 

5) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 6 is stored in address WhO of the arithmetic value memory Whmem. The 

75 upper digit of the operation result of the unit of multiplication and addition 6 is stored in the register RH in order to align 
the digit in the next unit of multiplication and addition. 

(Unit of Multiplication and Addition 7) 

20 The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address S2 of the arithmetic value memory Smem and the register Ai-reg takes in the value (addend) 
stored in address Wh2 of the arithmetic value memory Whmem. Then, the high-speed multiplier/adder Mul/Add multi- 
plies the multiplier by the multiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 7. a low level signal is supplied to the through terminal of 

25 the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 

6) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
result in the unit of multiplication and addition 7 is stored in address Wh1 of the arithmetic value memory Whmem. The 
upper digit of the operation result of the unit of multiplication and addition 7 is stored in the register RH in order to align 
the digit in the next unit of multiplication and addition. 

30 

(Unit of Multiplication and Addition 8) 

The register Yi-reg holds the already stored value (multiplicand) and the register Xi-reg takes in the value (multi- 
plier) stored in the address S3 of the arithmetic value memory Smem and the register Ai-reg takes in the value (addend) 
35 Stored in address Wh3 of the arithmetic value memory Whmem, Then, the high-speed multiplier/adder Mul//^dd multi- 
plies the multiplier by the multiplicand and adds the multiplied result to the addend to supply the added result to the 
high-speed adder Add. In this multiplication and addition unit 8, a low level signal is supplied to the through terminal of 
the high-speed adder Add so that contents (the upper digit of the operation result of the multiplication and addition unit 

7) of the register RH is added to the output of the high-speed multiplier/adder Mul/Add. The lower digit of the operation 
40 result in the unit of multiplication and addition 8 is stored in address Wh2 of the arithmetic value memory Whmem. The 

upper digit of the operation result of the unit of multiplication and addition 8 is stored in the address Wh3 of the arith- 
metic value memory Whmem. 

The units of multiplication and addition 9 to 16 are performed in accordance with the above multiplication and addi- 
tion unit as shown in Fig. 1 1 . Thus, the final operation result is stored in the form of Whmem-Wlmem ("-" is not a mark 
45 representing subtraction). 

Fig. 12 shows the unit of multiplication and addition in case where 8591x4673+2069=40147812 is performed by 
the above hardware. Operation of Fig. 12 is the same as Fig. 1 1 and accordingly description thereof is omitted. 

As described above, according to the fourth embodiment, since the multiplication and addition mode having the 
long bit length which is the foundation of various arithmetic operations can be realized, the generality of the coprocessor 
so can be improved greatly. 

(Calculation of N') 

In addition, for the multiplication and addition, the calculation of N' will be described, hereinafter. As described here- 
55 inbefore. each of the values is as follows: 

(1) RxR'-NxN'=1 (RxRmodN=1) 

(2) R is defined as an exponent of 2 which is slightly larger than modulus N 

(3) N is odd 
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(4) 0<N'<R 
Then, 

RxR'=XXX...XXXO00...000 

NxN'=YYY...YYYl 1 1... 1 1 1 (35) 
(the number of "0","1" is n) 

XXX. . .XXX=YYY. . . YYY+ 1 =R' (36) 



75 In order to obtain N' based on N, it is necessary to give the above equation (35) in such a manner that all of the 
lower bits of NxN' are equal to "1 

Rg. 21 is a flowchart showing the calculation of N'. In Fig. 21 , the reference symbol n denotes the bit length of N. i 
the bit position pointer, A the working register, B the N' result register, a 2'N storage register Ai the bit position denoted 
by i of A, and Bi the bit position denoted by i of B, wherein the bit length of the working register A and the 2'N a is 2n. 

20 and the bit length of B is n. 

Frrstly, data representing the bit length of N is set to n and the value of N is set to the working register A, while the 
bit position pointer i and the N' result register B are clear. Next, the 2'N storage register is set 2'N (initial value is 2^N). 
Further, the value of the bit position Ai is checked on whether it is equal to 1 or not. if yes. then the bit position pointer i 
develops its increment. If no, then the bit position Bi is set 1 and a new value of the former value of the working register 

25 A plus the value (initial value is 2°N) of the 2'N storage register is set to the working register A; and also the same incre- 
ment of the bit position pointer i follows. Moreover, the bit position pointer i is checked on whether or not it is equal to 
the bit length of N plus 1. If yes(it differs therefrom), then the similar procedure continues, which will repeat until it 
reaches the bit length of N plus 1 . If no (it equals thereto), the calculation of N' is over. In this way, the final value of the 
N' result register B provides N*. 

30 Hereinbelow, a example of calculating N' and R' will be described. Fig. 22 shows an example of calculating N' and 
R', each of which involves comparatively short digit number 

Rrstly, for a given N (=11 01 01 1 1), the left bit-shift of N is repeated until the LSB (Least Significant Bit) of the shifted 
N encounters a first "0" bit (2^) lying in the 2°xN, that is, the left bit-shift is performed three times. This gives 2^xN. Next, 
the 2°xN and 2^xN are added, which provides a first sum 1111 0001 1 1 1 as shown in the figure. Similarly to the way of 

35 obtaining the 2^xN, for this sum. the left bit-shift of N is repeated until the LSB of the shifted N encounters a first "0" bit 
(2^^) lying in the sum. namely, the left bit-shift is executed four times, thereby giving 2'^xN. Subsequently, the sun, and 
2'*xN are added, thus producing a second sum (=1010011111111). Finally, adding 2°xN, 2^xN. and 2'*xN, which is a 
total sum of 2', gives N' (=25). Incidentally, the digit number of the R(= 10000 0000) is 9. Since the figures (=10100) lying 
in digit positions equal to or more than the 9th digit position provides R'-l . thereby giving R' (=21). 

40 

(Fifth Embodiment) 
(Structure) 

45 Since the coprocessor described in the above embodiments is required to make access to the memory for each 
unit of multiplication and addition determined by the input bit length of the high-speed multiplier/adder Mul/Add and the 
high-speed adder Add, there is room for Improvement in reduction of the operation time. The reason is that the opera- 
tion speed of the whole circuit including the memories is limited by the memory access time. 

In this emtxxjiment. the number of times of accesses to the memories with respect to the number of times of arith- 
50 metic operations in the unit of multiplication and addition is reduced to shorten the final operation time. 

Rg. 13 is a block diagram schematically Illustrating the modular arithmetic coprocessor according to the fifth 
embodiment of the present invention. 

In the fifth embodiment, the multiplicand storage register Yi-reg is increased to a plurality of multiplicand storage 
registers and there is provided a circuit for selecting outputs of the plurality of multiplicand storage registers as com- 
55 pared with the above embodiments. Further, the registers for storing the upper digit output value or the lower digit output 
value of the high-speed adder Add are provided correspondingly in number to the multiplicand storage registers and 
there are provided selection circuits for properly selecting output values of the registers. 

More particularly, registers Yi-reg[0], Yi-reg[1], Yi-regI2] and Yi-reg[3] are the multiplicand storage registers having 
the bit length corresponding to the input bit length of the high-speed multiplier/adder Mul/Add and respective outputs of 
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these multiplicand storage registers are conned to the multiplicand selection circuit Yi-sel. The multiplicand selection 
circuit Yi-sel is a selection circuit which selects any one of values in the registers Yi-reg[0], Yi-reg[1], Yi-reg[2] and Yi- 
reg[3] to supply the selected value to the high-speed multiplier/adder Mul/Add in the subsequent state. 

A register RA is a register for temporarily storing the upper digit R-high of the output of the high-speed adder Add 
5 and the output of the register RA is connected to the selection circuits SelA. SelB and EnSel. The lower digit R-low of 
the output of the high-speed adder Add Is connected to the selection circuit SelB and an enable buffer En. 

The output of the register Ai-reg Is connected to the selection circuit SelA. The selection circuit SelA selects any of 
contents of the register Al-reg and the register RA and is connected to the high-speed adder Add to supply the selected 
signal to the high-speed adder Add. 
10 The selection circuit SelB selects any of contents of R-low and a register RA and is connected to the register RB 
to supply the selected result to the register RB. 

The register RB is a register for temporarily storing the output of the selection circuit SelB and the output of a reg- 
ister RB Is connected to the register RC and Ensel. 

The register RC is a register for temporarily storing the output of the register RB and the output of the register RC 
ts is connected to a register RD and the selection circuit Ensel. 

The register RD is a register for temporarily storing the output of the register RC and the output of the register RD 
is connected to the selection circuit Ensel and the high-speed multiplier/adder Mul/Add. 

The selection circuit Ensel is a selection circuit for selecting any one of contents of the registers RA, RB, RC and 
RD and supplying the selected result to the arithmetic value memories. 

Other circuits have the same function as that of the above embodiments and accordingly description thereof is 
omitted, 

(Operation) 

25 The calculation method of the following equation: 
(A3A2A1A0)xBO+C0 

which is the foundation of the arithmetic is now described with reference to Fig. 14 using the following hardware image. 
{WI3. W12, WI1. WI0)xSO=(RA. RB, RC. RD. WIO) 
The underlined address means that the final arithmetic result is stored therein. 

30 

(Initialization) 

First, as shown in Fig. 14, the initialization is performed. 
35 (Stepi) 

An arithmetic operation is made among a value of the register Xi-reg, a value of the register Yi-reg[0] selected by 
the selection circuit Yi-sel, a value of the register RD and a value of the register Ai-reg selected by the selection circuit 
SelA. Immediately before the end of this arithmetic operation, the upper digit R-high of the arithmetic result is stored in 
40 the register RA and the lower digit R-low thereof is stored in the arithmetic value memory WImem. At the same time, 
the values of the registers RC and RB are stored in the registers RD and RC. respectively, and the value of the register 
RA is stored in the register RB selected by the selection circuit SelB. 

(Step 2) 

45 

The arithmetic operation is made among the value of the register Xi-reg, the value of the register Yi-reg[1] selected 
by the selection circuit Yi-sel, the value of the register RD and the value of the register RA selected by the selection 
circuit SelA. Immediately before the end of this arithmetic operation, the upper digit R-high of the arithmetic result is 
stored in the register RA and the lower digit R-low thereof is stored in the register RB selected by the selection circuit 
so SelB. At the same time, the values of the registers RC and RB are stored in the registers RD and RC. respectively. 

(Step 3) 

The arithmetic operation is made among the value of the register Xi-reg. the value of the register Yi-reg[2] selected 
55 by the selection circuit Yi-sel. the value of the register RD and the value of the register RA selected by the selection 
circuit SelA. Immediately before the end of this arithmetic operation, the upper digit R-high of the arithmetic result is 
stored in the register RA and the lower digit R-low thereof is stored In the register RB selected by the selection circuit 
SelB. At the same time, the values of the registers RC and RB are stored in the registers RD and RC, respectively. 
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(Step 4) 

The arithmetic operation is made among the value of the register Xi-reg. the value of the register Yi-reg[3] selected 
by the selection circuit Yi-sel, the value of the register RD and the value of the register RA selected by the selection 
5 circuit SelA. Immediately before the end of this arithmetic operation, the upper digit R-high of the arithmetic result is 
stored in the register RA and the lower digit R-low thereof is stored in the register RB selected by the selection circuit 
SelB. At the same time, the values of the registers RC and RB are stored in the registers RD and RC. respectively 

In the above process from step 1 to step 4, the access to the arithmetic value memory is merely made once in step 
1 . Accordingly, during the remaining period from step 2 to step 4, change of addresses of the arithmetic value memories 
10 and precharging can be made to obtain the time for access to the memory. The operations performed in the period from 
step 2 to step 4 are substantially identical and accordingly the arithmetic operation is not complicated. 
As another example of the arithmetic operation, the calculation method of the following equation: 
(A3. A2. A1. A0)x(B3. B2, B1, B0)+(C3. C2, C1, CO) 
is shown in Rgs. 15 and 16 using the following hardware image. 
15 (WIS, WI2, m^ . WI0)x(S3, S2, si , S0)+(Wh3. Wh2, Wh1. WhO) =(RA, RB, RC, RD, WIS, WI2, Wll , WIO) 

Further, as an example of an actual calculation, Fig. 16 shows the arithmetic process from time 1 to time 4 of 
8591 x4673+2069=40147812. 

The underlined values are the final results of the arithmetic operation. 

It can be understood from Fig. 16 that the upper digits of the final result are values stored in the registers RA, RB, 
so RC and RD obtained in step 4 of time 4 and the lower digits are values stored in the arithmetic value memory Wlmem 
obtained instep 1. 

As described above, according to the fifth embodiment. It is not necessary to change the size of the arithmetic 
processing unit such as the multiplier/adder and the like, and there can be realized the modular arithmetic coprocessor 
constituted by a small-scale circuit as a whole and having a short operation time. 

25 

(Sixth Embodiment) 
(Structure) 

30 Fig. 1 7 is a blockdiagram schematically illustrating the sixth embodiment of the present invention. The embodiment 
includes an arithmetic value memory interface circuit and an arithmetic control circuit provided between the coproces- 
sor described above and the external unit. 

(Arithmetic Value Memory Interface Circuit MemlF) 

35 

The circuit MemlF serves to transmit and receive data between MCU and the arithmetic value memories in the 
coprocessor. 

The arithmetic value memories store arithmetic data from the outside of the coprocessor prior to the arithmetic 
operation and send the arithmetic results to the outside of the coprocessor upon completion of the arithmetic operation. 
40 At the same time, the arithmetic value memories repeatedly make access to the arithmetic unit dynamically without 
relation to the outside of the coprocessor. That is, the arithmetic value memories have two kinds of communication pro- 
tocol. The arithmetic value memory interface circuit is constituted to attain the protocol. 

An address signal adrs and a memory control signal Memcon produced by the MCU are inputted to the arithmetic 
value memory interface MemlF and an address signal Comemad and a memory control signal Gomcon are prepared 
45 for each arithmetic value memory in the coprocessor in the arithmetic value memory Interface MemlF to be supplied to 
the coprocessor- MDbus is a data bus of MCU and CoDbus is a data bus for external interface of the coprocessor. 

When the arithmetic value memories are disposed in a single memory space within the MCU, one kind of the adrs 
signal and the Memcon signal inputted to the arithmetic value memory interface MemlF, and MDbus are provided, while 
when the arithmetic value memories are disposed in a plurality of memory spaces, a plurality of kinds of inputs are 
so required. Generally, MDbus and CoDbu are often connected directly, while, for example, when the data length of the 
arithmetic value memories processed within the coprocessor and the data length of MCU are different, data conversion 
Is made through the arithmetic value memory interface MemlF. 

Further, since the arithmetic value memories are operated dynamically for execution of the arithmetic while the 
coprocessor executes the arithmetic, it Is controlled to inhibit access from the MCU. In this manner, the first communi- 
55 cation protocol between the arithmetic value memories in the coprocessor and the external unit Is realized. 

Upon execution of the arithmetic, a memory control signal produced by the timing/control circuit T/C in the coproc- 
essor is inputted to the arithmetic value memory interface MemlF When the arithmetic value memory interface MemlF 
receives the signal, the interface Memlf supplies to the coprocessor the Comemad signal and the Comcon signal proc- 
essed to cause the arithmetic value memories to transmit and receive data between the arithmetic unit and the arith- 
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metic value memories. In this manner, the second communication protocol between the arithmetic unit and the 
arithmetic value memories during execution of the arithmetic within the coprocessor is realized. 

(Arithmetic Control Circuit CopCon) 

5 

The arithmetic control circuit CopCon serves to receive a coprocessor control signal Excon produced by the MCU 
and supply an arithmetic control signal Sevex (arithmetic mode signal, bit length selection signal and the like in the 
above embodiments) to the coprocessor. The arithmetic operation in the coprocessor is started by supplying the arith- 
metic mode signal and the clock COPCLK for the coprocessor. 
10 Further, in order to confirm the completion of the arithmetic operation on the side of the MCU, a timing signal Coend 
for completion of the arithmetic produced by the timing/control circuit T/C in the coprocessor is received by CopCon and 
an arithmetic completion monitoring signal Endmoni processed by a latch circuit or the like is supplied to MCU. 

Generally, the arithmetic control circuit CopCon can be constituted to be distributed in a local memory area as a 
peripheral circuit of MCU and make direct access by an instruction of MCU and can be realized by a relatively simple 
15 circuit. 

In Fig. 1 7, an MCUCLK signal represents a clock for MCU and a COPCLK signal represents a clock for the coproc- 
essor. 

As described above, according to the sixth embodiment, since the interface between the external unit (for example, 
MCU) and the coprocessor can be realized by a relatively small-scale circuit, the modular arithmetic coprocessor with 
20 the external interface or the MCU including the modular arithmetic coprocessor can be constituted and can be realized 
by LSI. 

(Seventh Embodiment) 

25 The measure for confirming the completion of the arithmetic from the outside of the coprocessor is only the exam- 
ination of the arithmetic completion monitoring signal Endmoni. However, in this method, since an amount of modular 
arithmetic operation having the long bit length processed by the coprocessor is Increased, the time for always monitor- 
ing the Endmoni on the side of the MCU in case where the external unit is. for example, the MCU is made relatively long 
and accordingly the operation performance of the MCU is reduced. 

30 In order to solve this problem, this embodiment includes an exclusive interrupt control circuit for the completion time 
of the arithmetic. 

Fig. 18 is a block diagram schematically illustrating the seventh embodiment of the present invention. 

In Rg. 18. IntCon represents an arithmetic completion interrupt control circuit in which preparation of the interrupt 
is made by an interrupt setting signal Intset produced by the MCU previously. When the arithmetic completion timing 
35 signal Coend is inputted by the coprocessor, an interrupt processing request signal, an acknowledge signal and a vec- 
tor control signal necessary for the interrupt are transmitted and received as Intsig between the MCU and the IntCon 
for each kind of the arithmetic mode set by the CopCon and finally the interrupt preparation is canceled to terminate the 
interrupt process. 

A single interrupt factor for the arithmetic completion may be set fixedly, while since the coprocessor has a plurality 
40 of arithmetic modes, the method of development to the modulo exponentiation arithmetic by the external unit is made 
easy by performing interrupt for each arithmetic mode and accordingly it is desirable to set a plurality of interrupt factors. 

Intcon can be constituted to be distributed In a local memory area as a peripheral circuit of the MCU similarly to the 
arithmetic control circuit CopCon and make direct access by an instruction of MCU and can be realized by a relatively 
simple circuit. 

45 As described above, according to the seventh embodiment, the modular arithmetic coprocessor with the external 
interface or the MCU including the modular arithmetic coprocessor having the arithmetic completion interrupt function 
can be constituted by a relatively small-scale circuit and can be realized by LSI. 

(Eighth Embodiment) 

50 

Since the modular arithmetic operation in the coprocessor is dynamically performed from the beginning to the end 
of the arithmetic operation, it is convenient that operation of the external unit during execution of the arithmetic may be 
set to a temporary stop state (hereinafter referred to sleep) in order to suppress a consunnption current during execution 
of the arithmetic in the whole system connected to the external unit. 
55 The embodiment includes an exclusive external unit sleep control circuit and clock control circuit provided in order 
to realize the sleep operation. 

Fig. 19 schematically illustrates the eighth embodiment and includes the external unit sleep control circuit and the 
clock control circuit added to the seventh embodiment. 

In Rg. 1 9, SIpcon represents an MCU sleep control circuit, which receives a sleep set signal Slpset from the MCU 
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and prcxjuces a sleep signal Sip to supply the sleep signal to the clock control circuit CLKCon. 

The clock control circuit CLKCon usually supplies the dock MCUCLK to the MCU in response to the system dock 
CLK signal inputted externally, while once the Sip signal is received, the clock control circuit CLKCon serves to stop 
supply of the clock MCUCLK to the MCU. 
5 Upon completion of the arithmetic operation, the arithmetic completion timing signal Coend is supplied to the Sip- 

Con to stop supply of the Sip signal to the CLKCon. so that supply of MCUCLK to the MCU from the CLKCon is 
resumed. 

Generally, the sleep function is often canceled by inputting a signal to a certain terminal of the external unit Accord- 
ingly in this case, the sleep control circuit SIpCon may be constituted to have this function. 
70 The SIpCon can be constituted to be distributed In a local area memory as a peripheral drcuit of the MCU similarly 
to the arithmetic control circuit CopCon and to make direct access by an instruction of the MCU and can be realized by 
a relatively simple circuit. 

As described above, according to the eighth embodiment, the modular arithmetic coprocessor with the external 
interface or the MCU including the modular arithmetic coprocessor having the external unit sleep function can be con- 
ts stituted by a relatively small-scale circuit and can be realized by LSI. 

(Ninth Embodiment) 

The coprocessor can be used when the high-speed characteristic of the processing time of the cryptograph algo- 
20 rithm for performing a large-scale complicated modular arithmetic is questioned. Accordingly, it is required that the oper- 
ation time is short even for any frequency of an input clock supplied to the system. 

A frequency multiplied clock control circuit is included to improve the operation speed. 

Rg. 20 is a block diagram schematically illustrating the ninth embodiment, in which the clock control circuit of the 
eighth embodiment is modified to constitute the frequency multiplied clock control circuit. 
25 The frequency multiplied dock control circuit may be added to the sixth or seventh embodiment separately 

In Fig. 20. CLKCon2 represents the dock control drcuit including the frequency multiplied dock control circuit, 
which is supplied with a signal Ckwset from the MCU as a frequency multiplication setting signal to operate the fre- 
quency multiplication function. 

The frequency multiplication function is operated in response to the clock CLK supplied externally, and the circuit 
30 thereof is constituted so that the prepared frequency multiplied clock is produced as the clock MCUCLK for the MCU, 
the clock COPCLK for the coprocessor or both of them. Thus, the user can make various selection in the system in con- 
sideration of trade-off of the consumption current. 

The frequency multiplication function can be canceled by inputting the signal Ckwset as a cancellation signal in the 
same manner as the setting thereof. 
35 The frequency multiplied clock control circuit can be constituted to be distributed in a local memory area as a 
peripheral circuit of the MCU similarly to the arithmetic control CopCon and to make direct access by an instruction of 
the MCU and can be realized by a relatively simple circuit. 

As described above, according to the ninth embodiment, the modular arithmetic coprocessor with the external 
interface or the MCU including the modular arithmetic coprocessor having the frequency multiplication function of the 
40 system can be constituted by a relatively small-scale circuit to improve the operation processing speed of the whole 
system and can be realized by LSI. 

The high-speed multiplier/adder Mul/Add shown in the first to fifth embodiments may be constituted by the multiplier 
and the adder provided separately 

The high-speed multiplier/adder Mul/Add and the high-speed adder Add shown in the first to fifth embodiments may 
45 be constituted integrally. 

The high-speed multiplier/adder Mul/Add and the high-speed adder Add shown in the first to fifth embodiments may 
be constituted by commercially available ICs. 

The coprocessor shown in the sixth to ninth embodiments is constituted on the basis of the coprocessor shown in 
the first to fifth embodiments but may be constituted by another coprocessor having the same function as that of the 
50 coprocessor shown in the first to fifth embodiment. 

The long-bit-length multiplication algorithm shown in the first to fifth embodiments has been described generally, 
while another algorithm (for example, BOOTH or the like) capable of being used by the hardware structure used in the 
description may be constituted by the timing/control circuit. 

In the description of the second to fifth embodiments, the "0" detection circuit ZeroC is used to reduce the arithme- 
55 tic value memories as the primary object, while the ZeroC can be used to control the sequence so that, for example, 
when contents of the multiplier or the multiplicand of the unit of multiplication, the arithmetic operation is omitted and 
the value oil the way of the arithmetic operation is set to 0 to proceed to the next operation to thereby reduced the oper- 
ation time. 

In the fifth embodiment, the number of the multiplicand storage register is increased, while the bit length of the mul- 
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tiplicand storage register is lengthened to increase the size thereof. 

As described above, according to the representative of the present invention, when the solution of the modulo 
exponentiation arithmetic is obtained, the previously prepared mode signal can be merely supplied to thereby execute 
the various arithmetic operations. 

5 

Claims 

1 . The method of performing a modular multiplication arithmetic which executes a first common equation of a modular 
multiplication arithmetic f(A, B)=AxBmodN ("mod" denotes modular arithmetic) to calculate a remainder of a prod- 
to uct of an integer A and an integer B divided by an integer N, using a second common equation of Montgomery's 
replacement arithmetic f (A, B)=AxBxR'modN corresponding to the first common equation f(A, B)=AxBmodN (R' 
denotes a value to meet the equation RxR'modN=l with respect to R which is an exponent of 2 slightly larger than 
modulus N). the method comprising: 

75 a first step of executing a first replacement arithmetic f^'CR^modNxA^ B^) (S denotes one of 0, 1, and 2; T 

denotes one of 0 and 1 ; and U denotes one of 0 and 1); and 

a second step of executing a second replacement arithmetic f2' {R^" ®modNxA'^xfi*(R®modNxA"^, B^), 
R^modNxA^ "^xB^-^)}. 

20 2. The method of performing a modular multiplication arithmetic as set forth in claim 1 , wherein the first and second 
executing steps each includes the step of executing the respective first and second replacement arithmetics, by 
using the function REDC denoted by the steps of (m and t denote variables): 

(a) m=(AxBmodR)xN'modR 
25 (b) t=(AxB+mxN)/R 

(c) if t<N return t (t: result) 

(d) else return t-N (t-N: result). 

3. The method of performing a modular exponentiation arithmetic which executes a general equation of a modular 
30 exponentiation arithmetic F(M, E)=M^modN ("mod" denotes modular arithmetic) to calculate a remainder of an 

integer M to the integer Eth power divided by an integer N. by executing a first common equation of a modular mul- 
tiplication arithmetic f(A, B)=AxBmodN to calculate a remainder of a product of an integer A and an integer B 
divided by an integer N, using a second common equation of Montgomery's replacement arithmetic f'(A, 
B)=AxBxR'modN corresponding to the first common equation f(A, B)=AxBmodN (R' denotes a value to meet the 
35 equation RxR'modN=1 with respect to R which is an exponent of 2 slightly larger than modulus N) in the iterative 
square and multiplication method for calculating the modular exponentiation arithmetic, the method comprising: 

a first step of executing a first replacement arithmetic f ^'(fg'. hi (the initial fi'=fi'(RmodN, RmodN); 
a second step of executing a second replacement arithmetic f2'(*i'. MxRmodN); and 
40 a third step of executing a third replacement arithmetic f3'(f2'. 1). wherein the third step of executing is laid after 

the first st^ of executing and the second step of executing are repeated at respective times specified by the 
integer E. 

4. The method of performing a modular exponentiation arithmetic as set forth in claim 3, wherein the first, second, and 
45 third steps of executing each includes a step of executing the respective first, second, and third replacement arith- 
metics, using the function REDC denoted by the steps of (m and t denote variables): 

(a) m=(AxBmodR)xN'modR 

(b) t=(AxB+mxN)/R 

50 (c) if t<N return t (t: result) 

(d) else return t-N (t-N: result). 

5. The method of performing a modular exponentiation arithmetic as set forth in claim 4. further comprising: 

55 a step of detecting whether or not the product of the integer A and B is equal to a multiple of the integer R: 

a step of skipping the step (a) m=(AxBmodR)xN'modR and setting the variable m "0" in the function REDC, 
while skipping the step (b) t=(AxB+mxN)/R and setting the variable t "AxB/R" in the function REDC, upon 
detecting that the product of the A and B equals to a multiple of the R; and 

a step of setting the variable m first figures lying lower than the most significant bit of the integer R among sec- 
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ond figures, the second figures being a product of a third figures and the N\ third figures being lying lower than 
the most significant bit of the integer R among a product of the integer A and the integer B, while setting the 
variable t sum of the following three figures: (1) fourth figures lying upper than the most significant bit of the 
integer R among the product of the integer A and the integer B, (2) fifth figures lying upper than the most sig- 
5 nif icant bit of the integer R among a product of the variable m and the integer N, and (3) 1 . upon detecting that 

the product of the integer A and the integer B differs from any multiples of the integer R. 

6. The method of performing a modular exponentiation arithmetic as set forth in claim 3. further comprising: 

10 a step of inputting digit length of the modular exponentiation to be calculated: and 

a step of setting execution conditions on Montgomery's replacement arithmetic f ' corresponding to the Input 
digit length. 

7. The apparatus for performing a modular multiplication arithmetic which executes a first common equation of a mod- 
15 ular multiplication arithmetic f(A. B)=AxBmodN ("mod" denotes modular arithmetic) to calculate a remainder of a 

product of an integer A and an integer B divided by an integer N. using a second common equation of Mont- 
gomer/s replacement arithmetic f'(A, B)=AxBxR'modN corresponding to the first common equation f(A, 
B)=AxBmodN (R' denotes a value to meet the equation RxR'modN=1 with respect to R which is an exponent of 2 
slightly larger than modulus N), the apparatus comprising: 

20 

first executing means for executing a first replacement arithmetic fi'(R®modNxA^, B^) (S denotes one of 0, 1 . 
and 2; T denotes one of 0 and 1 ; and U denotes one of 0 and 1); and 

second executing means for executing a second replacement arithmetic fg' {R^'®modNxA^xfi'(R®modNxA^, 
B^). R^modNxA^'-'^xB^'^}. 

25 

8. The apparatus for performing a modular multiplication arithmetic as set forth in claim 7. wherein the first and sec- 
ond executing means each includes means for executing the respective first and second replacement arithmetics, 
by using the function REDC denoted by the steps of (m and t denote variables): 

30 (a) m=(AxBmodR)xN'modR 

(b) t=(AxB+mxN)/R 

(c) if t<N return t (t: result) 

(d) else return t-N (t-N: result). 

35 9. The apparatus for performing a modular multiplication arithmetic as set forth in claim 8, further comprising: N' cal- 
culating means for calculating the N' through multiplication and addition based on the N, and means for storing the 
N'. 

1 0. The apparatus for performing a modular exponentiation arithmetic which executes a general equation of a modular 
40 exponentiation arithmetic F(M. E)=M^modN ("mod" denotes modular arithmetic) to calculate a remainder of an 

integer M to the integer Eth power divided by an integer N. by executing a first common equation of a modular mul- 
tiplication arithmetic f(A. B)=AxBmodN to calculate a remainder of a product of an integer A and an integer B 
divided by an integer N. using a second common equation of Montgomery's replacement arithmetic f'(A, 
B)=AxBxR*modN corresponding to the first common equation f(A, B)=AxBmodN (R* denotes a value to meet the 
45 equation RxR'modN=1 with respect to R which is an exponent of 2 slightly larger than modulus N) in the iterative 
square and multiplication method for calculating the modular exponentiation arithmetic, the apparatus comprising: 

first executing means for executing a first replacement arithmetic fi'(f2'. hi (the initial fi'=fi'(RmodN. RmodN); 
second executing means for executing a second replacement arithmetic f2'(fi'. Mx RmodN); and 
so third executing means for executing a third replacement arithmetic f3'(f2'' "*)• 

11. The apparatus for performing a modular exponentiation arithmetic as set forth in claim 10, further comprising: 

first pre-calculation means for calculating the RmodN before calculating the first replacement arithmetic W(h*. 
55 ^2) of the first means; 

first storage means for storing the calculated RmodN; 

second pre-calculation means for calculating the MxRmodN before calculating the second replacement arith- 
metic fg'Cfi'. MxRmodN);and 

second storage means for storing the calculated MxRmodN. 
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1 2. The apparatus for performing a modular exponentiation arithmetic as set forth in claim 10, wherein the first, second, 
and third executing means each includes means for executing the respective first, second, and third replacement 
arithmetics, using the function REDC denoted by the steps of (m and t denote variables): 

5 (a) m=(AxBmodR)xN'modR 

(b) t=(AxB+mxN)/R 

(c) if t<N return t (t: result) 

(d) else return t-N (t-N: result). 

10 13. The apparatus for performing a modular exponentiation arithmetic as set forth in claim 12, further comprising: N' 
calculating means for calculating the N' through multiplication and addition based on the N, and means for storing 
the N'. 

14. The apparatus for performing a modular exponentiation arithmetic as set forth in claim 12, further comprising: 

15 

means for detecting whether or not the product of the integer A and B is equal to a multiple of the integer R; 
means for skipping the step (a) m=(AxBmodR)xN'modR and setting the variable m "0" in the function REDC, 
while skipping the step (b) t=(AxB+mxN)/R and setting the variable t "AxB/R" in the function REDC. upon 
detecting that the product of the A and B equals to a multiple of the R; and 

20 means for setting the variable m first figures lying lower than the most significant bit off the integer R among 

second figures, the second figures being a product of a third figures and the N', third figures being lying lower 
than the most significant bit of the integer R among a product of the integer A and the integer B, while setting 
the variable t sum of the following three figures: (1) fourth figures lying upper than the most significant bit of the 
integer R among the product of the integer A and the integer B. (2) fifth figures lying upper than the most sig- 

25 nif icant bit of the integer R among a product of the variable m and the integer N. and (3) 1 , upon detecting that 

the product of the integer A and the integer B differs from any multiples of the integer R. 

15. The apparatus for performing a modular exponentiation arithmetic as set forth in claim 10, further comprising: 

30 means for inputting digit length of the modular exponentiation to be calculated; and 

means for setting execution conditions on Montgomery's replacement arithmetic f ' corresponding to the input 
digit length. 

1 6. The apparatus for modular exponentiation arithmetic as set forth in claim 10, further comprising: 

35 

a plurality of registers in use for execution of the first arithmetic f 1 the second arithmetic f 2', and the third arith- 
metic f3\ 

17. The encrypting apparatus which prepares a cryptograph by encrypting a plaintext M with encryption keys E and N, 
40 wherein a common equation of Montgomery's replacement arithmetic f'(A. B)=AxBxR'modN corresponding to a 

common equation f(A, B)=AxBmodN in the iterative square and multiplication method for executing the modular 
exponentiation arithmetic is employed, the encrypting apparatus comprising: 

for given XxRmodN and YxRmodN, first executing means for executing a first replacement arithmetic 
45 fl '(XxRmodN, XxRmodN)=x2RmodN; 

second executing means for executing a second replacement arithmetic f2'(XxRmodN, 
YxRmodN)=XxYxRmodN; and 

third executing means for executing a third replacement arithmetic f3'(XxRmodN, 1)=XmodN. 



so 18. The encryption apparatus as set forth in claim 17, wherein the first , second, third executing means each includes 
means for executing the respective first, second, and third replacement arithmetics, by using the function REDC 
denoted by the steps of (m and t denote variables): 



(a) m=(AxBmodR)xN'modR 
55 (b) t=(AxB+mxrvJ)/R 

(c) if t<N return t (t: result) 

(d) else return t-N (t-N: result). 
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